Category Archives: Terrorism

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

Posted on by

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare

  • Rules of Engagement
  • Offensive and defensive approaches
  • Responses to state actors
  • Engagement of non-state actors
  • Distinguishing corporate espionage from national defense
  • Proportionality and critical infrastructure
  • Cyber diplomacy
  • Cold War footing and concerns of human rights implications

Front Lines for Industry

  • Role of regulators such as FERC
  • Legacy systems and modern threats
  • NIST guidelines
  • NIST Cybersecurity Framework
  • Engaging Dept. of Homeland Security
  • Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities)
  • Health and safety issues
 Global Perspectives

  • Concepts of cyber engagement in Europe
  • Perception of Internet and social media as threat to national soverignty
  • Rules of engagement outside U.S. and NATO
  • Implications for privacy and human rights
  • Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon
  • Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement

 

Corporate Governance

  • Confidentiality and disclosure obligations
  • Responsibilities of the board of directors
  • Staffing, structures and responses
  • Data protection & obligations regarding data breaches
  • Corporate duty to stop phishing and other attacks for non-critical industries
  • Investment and threat assessment
  • Litigation and third party liability

 

Other Issues

  • Executive orders and legislative process
  • Lawyer responsibility in the face of potential threats
  • Practical implications of government notices
  • Perspective on the true nature of the threat

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: September 1, 2013
  • Submission Deadline for First Draft of Manuscripts: January 1, 2014
  • Submission Deadline for Completed Articles: February 1, 2014
  • Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
  • Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Beyond Google’s Looking Glass – The Internet of Things is Already Here

Posted on by
Seal of the United States Federal Trade Commis...

(photo: Wikipedia)

Perhaps triggered by the New York Times coverage of Google Glass, The FTC announced both a call for submissions and a workshop related to the Internet of Things and its implications on privacy, fair trade practice, and security implications for both data and people. The FTC announcement highlights both the benefits and risks of device connectivity.

Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, healthcare providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.  The devices can provide important benefits to consumers:  they can handle tasks on a consumer’s behalf, improve efficiency, and enable consumers to control elements of their home or work environment from a distance. At the same time, the data collection and sharing that smart devices and greater connectivity enable, pose privacy and security risks.

The issue is not new. The ITU released a 2005 study discussing the implications of the Internet of Things. The ITU described a near, technological future in which “industrial products and everyday objects will take on smart characteristics and capabilities. … Such developments will turn the merely static objects of today into newly dynamic things, embedding intelligence in our environment, and stimulating the creation of innovative products and entirely new services.”

I have previously described some of these concerns in an article, Mortgaging the Meme.[1]

In each of these situations, an automated and consumer-defined relationship will replace the pre-existing activities. In many situations, this will create efficiency and convenience for the consumer, but it will also reduce the opportunities for human interaction and subtly rewrite the engagement between customer and company. Those that understand this change will adjust their technologies to improve the service and increase the customer‘s reliance on its systems. Companies that do not understand how this engagement will occur, risk alienating customers and losing markets quickly.

Beyond consumer interactions, other uses may arise. Ethical and privacy concerns regarding misuse tend to focus on government, business and organized crime. These include unwarranted surveillance, profiling, behavioral advertising and target pricing campaigns. As a result, as companies increasingly rely on these tools, they also bear a responsibility to do so in a socially positive manner that increases the public‘s estimation of the company.

Timing for the FTC submissions and workshop are overdue. Reading the New York Times quote regarding app developers, there is a sense that unlike the technology giants such as Microsoft and Google, the developers are thinking more about the technology’s potential than its potential impact. One such example from the Times: “‘You don’t carry your laptop in the bathroom, but with Glass, you’re wearing it,’ said Chad Sahlhoff, a freelance software developer in San Francisco. ‘That’s a funny issue we haven’t dealt with as software developers.’”

Many fields will benefit from increased device connectivity. Just a few:

  • Public transportation systems designed around real-time usage and traffic patterns.
  • Prescription monitoring to help patients take the right medications at the correct time.
  • Fresher, healthier produce.
  • Protection of pets and children.
  • Social connectivity, with photo-tagging and group-meeting moving into the real world.
  • Interactive games played on a real-world landscape.

There are also law enforcement uses that must be carefully considered. After the Boston Marathon attack, for example, calls for public surveillance will undoubtedly increase, including calls for adding seismic devices and real-time echo-location. Gunshots, explosions, and even loud arguments could become self-reporting.

Common household products sometimes become deadly in large quantities. RFID technology could be used to monitor quantity concentration of potentially lethal materials and provide that data to the authorities.

The consumer use, public use, and law enforcement use must be thoughtfully reviewed to balance the benefits of the technology with the intrusions into privacy and the legacy of retrievable information that such technology creates.

FTC staff will accept submissions through June 1, 2013, electronically through iot@ftc.gov or in written form. The workshop will be held on November 21st. These are the questions posed by the FTC thus far:

  • What are the significant developments in services and products that make use of this connectivity (including prevalence and predictions)?
  • What are the various technologies that enable this connectivity (e.g., RFID, barcodes, wired and wireless connections)?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve healthcare decision making or to promote energy efficiency?
  • Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

While the FTC has asked some good questions, they are only the beginning. Please submit your thoughts and join the FTC conversation.

[1] Jon M. Garon, Mortgaging the Meme: Financing and Managing Disruptive Innovation, 10 NW. J. TECH. & INTELL. PROP. 441 (2012).

State of the Cyber Union: Policy Directive + Executive Order = Expansive Regulatory Efforts

Posted on by

In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.

At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.

But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.

The Executive Order  defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.

Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:

Additional roles and responsibilities for the Secretary of Homeland Security include:

  1. Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;

  2. Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;

  3. In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;

  4. Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;

  5. Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;

  6. Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;

  7. Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and

  8. Report annually on the status of national critical infrastructure efforts as required by statute.

When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.

Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.

Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.

Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This is a subset, of course, of the earlier broader definition.

Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.

The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.

 The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.

-          The Washington Post

The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.

Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.

Photo:

President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)

New York Times disclosure of cyber-attacks should pave way for greater corporate engagement and a critical infrastructure executive order

Posted on by
Seal of the White House Office of Homeland Sec...

Seal of the White House Office of Homeland Security, which was formed by executive order on October 8, 2001,http://www.whitehouse.gov/news/releases/2001/10/20011008-2.html and later grew into the United States Department of Homeland Security. (Photo credit: Wikipedia)

With the lead story in the New York Times focused on its own failure to defend from Chinese political computer hacking, there is a renewed concern regarding the vulnerability of domestic computer systems, particularly those that are part of the critical national infrastructure. Homeland Security describes critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”

While the Communications Sector is one of the 18 Sectors identified as part of the critical infrastructure, the focus is on the telecommunications network rather than the content itself. Nonetheless, the continuing attack which lasted over four months raises serious questions regarding the ability of organizations to effectively defend themselves against a serious professional attack.

Among the facts that stood out was the failure of commercial antivirus software. According to the Times, “[o]ver the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.”

The nature of the exposure has also changed. Instead of attacks targeted at firewalls, the campaign is not conducted through phishing – bogus links in innocuous emails that open the firewall to allow installation of “remote access tools” — or RATs.

Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers’ microphones and Web cameras — and send the information back to the attackers’ Web servers.

Michael Higgins, chief security officer at The Times, said: “Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your e-mail account and you’re opening it and letting them in.”

To meet this threat the Department of Homeland Security established the Office of Infrastructure Protection in 2002. It has its hands full.

This is a complex mission. Critical infrastructure ranges from the nation’s electric power, food and drinking water to its national monuments, telecommunications and transportation systems, chemical facilities, and much more. The vast majority of critical infrastructure in the United States is privately owned and operated; thus, public-private partnerships are essential to protect and boost the resilience of critical infrastructure and respond to events.

The attacks are real.  The Washington Post has reported on an overseas attacks which target utilities, including one which gained control of a Texas water utility.

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers. … From October to April, the DHS received 120 incident reports, about the same as for all of 2011. But no one knows how often breaches have occurred or how serious they have been. Companies are under no obligation to report such intrusions to authorities.

Congress flirted with new legislation to update the obligation of companies in the 18 sectors which provide our critical infrastructure but it was ultimately unable to agree on legislative action. In its place, President Obama is expected to issue an executive order which will highlight the obligation to respond to a notice of imminent threat or to update the capacity to respond to a cyber-attack by any organization within one of the sectors which receives a governmental notice.  A possible draft of the order is available here.

While business is reluctant to embrace these new obligations, the acknowledgment by the New York Times of the vulnerability companies face should change the dialogue about the executive order and the need to plan for cyber-defense rather than complain about its costs. After all, the cost of inaction will be much, much higher.

ITU Treaty rejected by US and Western nations but ratified by majority

Posted on by

Earlier this Month, the U.S. and many Western nations rejected a proposed revision to the World Conference on International Telecommunications (WCIT) organized by the International Telecommunications Union of the United Nations. The White House issued a statement on Dec. 21st in which it explained the rejection of the proposed treaty amendments because the ITU regulation of Internet governance would lead to greater governmental regulation of access to the Internet and the content available online. As the statement explained, “the Internet’s social and economic benefits come from the free flow of information and ideas and that the technical innovation enabling this information flow comes from the full engagement of civil society, industry, and governments in the process.”

At the same time, however, it is important to recognize that the treaty was adopted, 89 states did sign onto the revised treaty, signaling a strong split among nations regarding the nature of Internet governance. Mohamed al-Ghanim, chairman of the WCIT commented “I hope that the 55 states that said do not want to sign the treaty, or need to hold consultations, to think again.” Ghanim is the chief of the UAE’s Telecommunications Regulatory Authority. The treaty is not binding on the non-signatory countries.

The tension over the ITU treaty amendments which had been focused on expanding broadband to greater parts of the globe highlight the growing tension over the role of Internet access as part of human rights protections. Countries such as Russia and China see control over Internet content within their borders as a fundamental issue of sovereignty while U.S., E.U. and other government coalitions view Internet content as a fundamental human right. In July of this year, for example, the U.N. Human Rights Council passed a resolution that “affirms that the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice.”

The ITU vote suggests a growing of the Cyber Cold War in which historical East/West divisions are reemerging behind firewalls rather than the physical walls of the twentieth century. As in the past, the various U.N. bodies and commissions are split as to their allegiance and ineffectual in their pronouncements.

While the constant threat of cyber-attacks against governmental computers has become a constant occurrence in almost every country, the ITU vote signals a more explicit acknowledgement of the regulatory rift among nations. For governments seeking to manage the information available to their citizens or control the publications by their citizens, the open nature and growing penetration of the Internet represents a fundamental challenge to governmental control. The ITU vote reflects this tension and provides a roll call for the nations seeking greater transparency and those seeking greater control. Transparency is behind in the vote – 55 to 89.

One Internet or Many – Questions on Censorship Grow

Posted on by

When a hateful fourteen-minute video was created intentionally to depict the prophet Mohammad in a manner designed to offend, the awareness of this trivial effort sparked worldwide protests against the United States and Western governments. It was used as a rationale for attacks against NATO forces in Afghanistan and was manipulated to put U.S. ambassador Chris Stevens in a vulnerable position where he was attacked and killed.

Is the response to stop offensive speech on the Internet?

Internet censorship is hardly new. China has laws designed to promote harmony and prosecutes cases to limit the risk of internal rebellion – whether aimed at the government or at ethnic minorities. Germany prohibits Nazi propaganda. Most Islamic states bar publications that insult the prophet Mohammad. The response to the recent video echo the 2005 controversy regarding a dozen editorial cartoons with depictions considered offensive. First Amendment scholar Eugene Volokh has noted some U.S. analysts suggesting a growing international norm in favor of censorship.

The same week, the British royal family is bringing suit for invasion of privacy related to nude photographs of Kate Middleton, citing French censorship laws. This could be another example of this international norm.

From the U.S. perspective, with our strong values in Free Speech, the debate seems odd. But the U.S. is actually the odd man out.

  • The U.S. is one of the few nations that bars prior restraint. In most of the world, the government can suppress offensive speech.
  • The U.S. has no laws to punish offensive speech, unless that speech falls into a very narrow set of exceptions (child pornography, obscenity, and invasion of privacy or defamation – only after the plaintiff wins in court, etc.).
  • The U.S. has no anti-blasphemy laws or any official state-sponsored religion.

While these points seem obvious to Americans, they are unheard of in much of the world. As a result, the Administration’s strong denunciation of offensive content seems intentionally weak to someone who believes that content is only published with a government’s prior approval or at least with the ability to arrest those who blaspheme, offend, or violate the State’s position.

This comes at a time when the Internet itself is under redesign. Changes to Internet governance has allowed the Internet to better recognize Arabic, Cyrillic and Simplified Chinese in the domain names of websites. New top level domains will complement .com, .org, and other long-recognized domains. These efforts were intended by ICANN, NGOs and international treaty organizations to further democratize the Internet but instead could be utilized as tools to segment the Internet, increase censorship, and cut down on public discourse – in the name of harmony and peace.

Pressures to legitimize government censorship in order to save lives and promote order may create opportunities for greater government censorship than ever before. The U.S., Western Governments and NGOs committed to the rule of law and expansion of individual freedoms must undertake a global effort to educate the public on the values of free speech and the role of tolerance regarding the speech of others.

Despite suggestions that the time to censor has arrived, the real obligation is to teach that the cost of democracy is tolerance and civil liberties. Democracy without tolerance is mob rule; revolutions without civil liberties are little more than window dressing. The lessons from the Arab Spring must continue to be learned in the form of greater understanding and respect for civil discourse which lies at the heart of any civil democracy.

NKU Chase Law + Informatics Institute

2013 Informatics Symposium announced – focusing on informatics in labor and employment issues.

Posted on by

NKU Chase Law + Informatics Institute2013 Law + Informatics Symposium on Labor and Employment Issues The annual NKU Chase Law + Informatics Symposium will be held this academic year on February, 15, 2013 focusing on issues in labor and employment related to informatics, including such topics as candidate screening practices, employee privacy, data security and appropriate policies, gamification in training, and social media use. The program will include a day-long seminar and reception. Presentations delivered at the conference will be published by the Northern Kentucky Law Review. More information is provided below in the conference call for papers. A PDF of the Call for Papers is available.

Call for Papers The Northern Kentucky Law Review and Salmon P. Chase College of Lawseek submissions for the Law + Informatics Symposium on February 15, 2013. The focus of the conference is to provide an interdisciplinary review of issues involving privacy, data aggregation, security, communications, social media management and related topics affecting the legal and business practices involving labor and employment law. The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues in informatics law as it applies to working conditions and employment practices. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics such as the following:

Privacy

  • Application of the Americans with Disabilities Act
  • Federal/state employment regulations regarding privacy
  • HIPAA, FERPA, COPPA, GLBA & other sector-specific privacy issues
  • EU & global privacy laws & policies
  • Bioinformatics in the workplace
  • Data mining of employee information
  • Social media and political change

Collective Bargaining

  • Use of informatics tools for collective bargaining
  • Collective bargaining positions on internet usage, data aggregation and social media
  • Online dispute resolution
  • Ownership of databases & data
  • Contracting & enforcement of agreements over sharing of data
  • Assessment of significant commercial expansions of informatics practices affecting public expectations & norms
 Social Media

  • Employee discipline for internet and social media use
  • NLRB responses to social media
  • Use of social media in employee screening
  • Implications for privacy and discrimination lawsuits

  Training and Security

  • Gamification in training
  • Computer security
  • Data protection & obligations regarding data breaches
  • Data reliability, including people’s rights to review & correct collected data
  • Retraining and employee obsolecense

  Other Issues

  • Discrimination and access to public and semi-public information
  • Employee ownership of intellectual property and data information
  • Post-termination obligations of employers and employees
  • Employee contracting and end user license agreements
  • Global issues for similarly situated employees in multiple jurisdictions

Submissions & Important Dates: 

  • Please submit materials to Nkylrsymposium@nku.edu
  • Submission Deadline for Abstracts: October 1, 2012
  • Submission Deadline for Articles: February 1, 2013
  • Symposium Date: February 15, 2013

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish submissions in the 2013 Spring Symposium issue.  Articles, as well as case studies and abstracts of research in progress, will be considered for the symposium program for presentation purposes.  Only complete articles, however, will be published in the law review.  Abstracts for these papers will be due no later than the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

Presentations (without publication) based on Abstracts:  The Northern Kentucky Law Review will review and select presentations for the symposium.  If you are interested in presenting without submitting a publishable article, an abstract of the presentation must be submitted by the October 1, 2012 deadline and will be accepted on a rolling basis until that time.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law. Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

  • ProfessorJon Garon, Symposium Faculty Sponsor: garonj1@nku.edu or 859.572.5815
  • Lindsey Jaeger, Director of Centers and Institutes Administration: JaegerL1@nku.edu or 859.572.7853
  • Brad Andress, Symposium Editor: andressb1@nku.edu or 812.343.6822

New CRS Reports Highlight Legislation for Cybersecurity

Posted on by

As noted in Eric Ficher, Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, (June 29, 2012) (CRS Report R42114) (full-text), cybersecurity is a “somewhat fuzzy subject.” Yet it has become the focus of considerable regulatory and legislative attention.

Dr. Fischer, Senior Specialist in Science and Technology, has provided a comprehensive roadmap for CRS which provides some context for the competing legislative approaches to this important but under-reported topic.

As the report notes, “There is as yet no overarching framework legislation in place, but many enacted statutes address various aspects of cybersecurity.” The report reviews proposed changes to 28 separate laws from the Posse Comitatus Act of 1879 to the Intelligence Reform and Terrorism Prevention Act of 2004. He reports that “more than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place.” So the report provides an important outline of the disparate efforts to address cybersecurity in congress.

The report identifies ten broad areas for the legislative proposals:

  • national strategy and the role of government,
  • reform of the Federal Information Security Management Act (FISMA),
  • protection of critical infrastructure (including the electricity grid and the
  • chemical industry),
  • information sharing and cross-sector coordination,
  • breaches resulting in theft or exposure of personal data such as financial
  • information,
  • cybercrime,
  • privacy in the context of electronic commerce,
  • international efforts,
  • research and development, and
  • the cybersecurity workforce.

Not to be outdone, the companion report provides even more specific information regarding recent legislative efforts. Rita Tehan, Cybersecurity: Authoritative Reports and Resources (July 3, 2012) (CRS Report R42507) (full-text) provides a comprehensive overview. Together, the two reports provide a critical roadmap to the present legislative efforts. Tehan’s introduction provides a glimpse at the scale of the activity:

“Cybersecurity is a sprawling topic that includes national, international, government, and private industry dimensions. More than 40 bills and resolutions with provisions related to cybersecurity have been introduced in the first session of the 112th Congress, including several proposing revisions to current laws. In the 111th Congress, the total was more than 60. Several of those bills received committee or floor action, but none have become law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.”

Fischer notes the importance of these changes. As he notes, “for more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.”

Additional coverage can be found by ITWiki, PrivacyLives, and Justice Information Sharing.

Ethics in Informatics – Assessing ABA’s Ethics 20/20 Commission

Posted on by

May 4, 2012 the NKU Chase Law & Informatics Institute presents an ethics program focusing on the proposed changes to the ABA Model Rules of Professional Responsibility and similar changes to SEC Guidance for disclosure of cybersecurity risk. Dean Dennis Honabach and Professor Jon Garon will lead the conversation.

In 2009, The American Bar Association created the Ethics 20/20 Commission (“Commission”) to “perform a thorough review of the ABA Model Rules of Professional Conduct [(“MRPC”)] and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.”[1] The Commission held hearings and developed draft statements regarding a number of topics, including the effect of technology on a lawyer’s duty of confidentiality and client development.[2]  Having completed its review on several key proposals, they will be brought to the ABA for approval in August 2012:

The ABA Commission on Ethics 20/20 is pleased to release for comment by April 2, 2012, along with a Cover Memo from Co-Chairs Jamie S. Gorelick and Michael Traynor, final revised drafts of Commission Proposals scheduled to go to the ABA House of Delegates in August 2012.  These six revised draft proposals cover the subjects of Technology (Confidentiality), Technology (Client Development), Outsourcing, and Uniformity/Mobility (including Model Rule 5.5 and Practice Pending Admission), Admission by Motion, and Model Rule 1.6 (Duty of Confidentiality).

In addition to the materials provided by the ABA, we have created a Summary Analysis as well as a CLE Powerpoint presentation.

To summarize the program:

The practice of law has largely gone digital in the past decade. Remote access to one’s office, reliance on smart phones to share data, email and social media to communicate with clients, and other emerging technologies to conduct overseas cloud-based outsourcing or operate virtual law offices have transformed the mechanics of practicing law.

The American Bar Association’s Commission on Ethics 20/20 is examining technology’s impact on the legal profession. In proposals recommended for adoption this year, the Commission proposes adoption of a new Rule 1.6(c) which would require that a “lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.” While this duty has existed under the prior rules, the modifications make clear that this affirmative duty extends to data privacy, security and reliability.

These proposals also address issues of screening electronic information accessible to a law firm assure that confidential information known by a personally disqualified lawyer remains protected from inappropriate access by other attorneys; an affirmative duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with technology;” and many others.

Not to be outdone, the Corporate Finance Division of the Securities and Exchange Commission has taken steps of its own to require greater awareness, disclosure and reporting of issues relating to technological knowledge held by a company – including its lawyers. The guidance identifies that “a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” Lawyers drafting these disclosures – and lawyers dealing with the risk assessment for their clients – as well as regarding their own practices – have an increasingly external standard of care and responsibility to meet the cyber-risks inherent in the modern digital practice of law.

While it is likely that many of the revised Rules of Professional will be adopted, the changes primarily codify the existing duty to maintain a lawyer’s ongoing duty to remain competent. These materials are intended to assist with that effort by providing an update to the ethical rules and the technologies at the heart of these changes.

The Commission has distributed its recommendations and solicited final comments through April 2, 2012. Final hearings were held April 13-14, 2012 and the Commission will be releasing the final versions of these proposals for approval at the August 2012 ABA Annual Meeting.

CFAA only for hacking – at least in the West

Posted on by

In U.S. v. Nosal __ F.3d __ (2012), the Ninth Circuit made clear that it considers the scope of the Computer Fraud and Abuse Act to be focused specifically on computer hacking rather than more broadly related to violations of corporate policies and terms of service agreements.

The case arose out of a minor bit of corporate espionage – and the hubris and stupidity that often accompanies such activities. David Nosal, former employee at the executive search firm of Korn/Ferry, “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business.”  The Korn/Ferry employees used their access to the system to download confidential information, including source lists, names and contact, which they emailed to Nosal. They were all caught. The government indicted Nosal was on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA.

Although Nosal did not violate the CFAA, he was charged with aiding and abetting those former colleagues who did. The aiding and abetting count rests on whether the conduct of Nosal’s former colleagues violated the CFAA when they used their authorized access to the confidential database to violate the terms of confidentiality and theft of trade secrets.

Writing a clear, rather stinging rebuke of the government’s position, Judge Kozinski explained that the section of the CFAA is limited to computer hacking, not every violation of use.

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6).

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[] authorized access” if he looks at the customer lists.

Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

… The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. … The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.

… Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights. … Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

There are a number of subsections of the CFAA and the government takes the position that the broad interpretation this provision is limited by the need to prove an intent to defraud. In those other sections of the CFAA where intent to defraud is not required, the statute’s scope can still be more limited. But the Ninth Circuit points out that the language of the offense is the same such that a different scope in the same statute for the same phrase is unworkable.

The Ninth Circuit remains at odds with decisions in other circuits. Eventually either Congress or the Supreme Court will need to reconcile this increasingly important tension in the CFAA. For now, one’s exposure to federal criminal prosecution depends, at least in part, on where one accesses the computer.