NKU Chase Law & Informatics Institute Reception Nov. 4th

NKU Chase College of Law will host a reception to celebrate the launch of the NKU Chase Law & Informatics Institute on Friday, November 4 at 5:30 p.m. Alumni and leading practitioners in informatics fields of law will gather to meet and learn more about the new institute.

The reception will be held in Northern Kentucky University’s newly completed Griffin Hall, home to the NKU College of Informatics. The reception will include guided tours of Griffin Hall, cocktails, and hors d’oeuvres. To RSVP or for more information, contact Kerri Beach at beachk1@nku.edu or 859-572-1461.

This is a social event with a minimum of speeches and public program. Please join us to help us celebrate the launch of the new Institute. We look forward to seeing you there.

About the Institute:

The Law & Informatics Institute provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law & Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, entertainment, and the public sector.

Law firm loss of computer drive highlights duty to protect firm data

Earlier this month, the Baltimore Sun and ABA Journal reported that the law firm of Baxter, Baker, Sidle, Conn & Jones lost a back-up hard drive containing 161 stent patient files. The firm properly recognized it should have off-site storage of its sensitive data to protect from risk of fire and flood but chose to have an employee take the drive home each night via commuter train.

According to the Baltimore Sun, “[t]he storage device held a complete back-up copy of the firm’s data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers and insurance information.”

The hard drive was password protected but not encrypted. While password protection provides some protection, it is a rather minimal level of protection. Law firms have a duty to protect confidential information both under their general ethical duties and under more specific state and federal laws. Here, the protected health information put at risk by the loss of the hard drive implicates regulations under HIPAA and the HIGHTECH Act.

Although it is unlikely the law firm is regulated as a health care provider, the law is much less clear whether the law firm must sign a Business Associate Agreement regarding the data. If the law firm was given access to the data on behalf of its client, then a Business Associate Agreement – and all the HIPAA data protection provisions – would be required. Where the data was collected in an adversarial matter from an opposing party, however, such a duty may not attach.

The niceties of HIPAA are only one of the problems. If the hard drive included all of the firm’s data, then there will be client names, and may also be client trade secrets and other confidential information.

The American Bar Association has recognized that lawyers have an ethical duty to take reasonable measures to protect a client’s confidential information from unintended disclosure and unauthorized access. In fact, a draft proposal will codify this existing obligation under a new ABA Model Rule 1.6(c).

1.6 (c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.

Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

As illustrated by the lapse at Baxter, Baker, Sidle, Conn & Jones, security starts with the physical safeguard of data – in the firm, its physical files and its electronic storage. Trains, backpacks, and car seats are never good ideas for the systematic ongoing protection of data. Secure, encrypted off-site storage is no longer expensive and likely the minimum standard.

SEC provides guidance of disclosure of cybersecurity

Responding to a request from members of the Senate, the SEC has published official guidance regarding the obligation of publicly traded companies to address issues of economic consequences to cyber-attacks. The guidance, which does not have the binding authority of law or regulation, will still shape the decisions regarding the disclosure of public companies.

The obligation to report likely exists in the more general obligations of disclosing material risks for public companies, a point the guidance emphasizes.

“Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents.”

For purposes of the disclosure, cybersecurity has been defined as “the body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.” The definition cites Whatis?com available at http://whatis.techtarget.com/definition/cybersecurity.html.

The guidance illustrates the types of issues that can rise to material importance for the public.

Registrants that fall victim to successful cyber attacks may incur substantial costs and suffer other negative consequences, which may include, but are not limited to:

  • Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack;
  • Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants;
  • Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation; and
  • Reputational damage adversely affecting customer or investor confidence.

The need for guidance was triggered by a letter to the SEC Commission Chairperson, Mary Schapiro, on May 11, 2011 by five members of the Senate. The letter demanded better disclosure.

“In light of the growing threat and the national security and economic ramifications of successful attacks against American businesses, it is essential that corporate leaders know their responsibility for managing and disclosing information security risk. … Beyond our concerns about material information security risk, we believe that once a material network breach has occurred, leaders of publicly traded companies may not fully understand their affirmative obligations to disclose information on potentially compromised intellectual property or trade secrets.”

The new guidance is simply a reminder that the threats and the ramifications of network breach and theft of intellectual property have material implications on the value of publicly traded companies and as such, these issues must be addressed in the ongoing public disclosure of affected companies.

Two great day-long informatics events – small business; open source

“Social, Mobile, Local – Technology Trends, Tools, and Strategies for Small Business Success”

Wednesday, Oct. 26 – 9:00 am-4:00 pm – Madison Event Center in Covington

The NKU Small Business Development Center and NKU Chase Law & Informatics Institute are co-sponsoring a technology conference for small businesses. The conference: Social, Mobile, Local – Technology Trends, Tools and Strategies for Small Business Success, is Wednesday, Oct. 26, from 9 a.m. to 4 p.m. at the Madison Event Center in Covington. If you own a small business or work with one as a service provider, you will find the program relevant and practical. Learn more at http://somolonky.eventbrite.com.

The day-long conference is designed to provide valuable information to small businesses and those who support entrepreneurship in three categories: (1) entities interested in using / maximizing the value of their social media efforts in marketing, relationship building, and sales generation; (2) businesses who want to learn more about the newer, low cost ‘cloud computing’ tools, software, and functional capabilities to improve and expand the efficiency and productivity of their internal processes; and (3) organizations who want to be better informed about the role of intellectual property protection as it relates to their products, services, marketing materials, and business practices.

CincyIP 3rd Annual Symposium, Open Source & Security Cubed:  Dispelling the Myths

Thursday, Oct. 27 – 7:45am-4:30pm – The METS Center, 3861 Olympic Blvd., Erlanger

Full information available online.

The program will feature topics on Open Source Compliance, 3D licensing strategy, supply chain issues, M & A topics, the intersection of IP and open source security and other topics.

The use of open source software continues to grow on a daily basis. Today, enterprise applications contain 40% to 70% open source code and this fact has legal, development, IT security, risk management and compliance organizations focusing their attention on its use, as never before. They increasingly understand that the open source content within an application must be detected. Once uncovered, decisions regarding compliance with intellectual property licensing obligations must be made and known security vulnerabilities must be remediated. It is no longer sufficient from a risk perspective to not address both open source issues.

I will be at both programs and hope to see you there.

Case Against Hurt Locker Dismissed

Federal district court judge Jacqueline Nguyen finalized her ruling dismissing the claims by Sgt. Jeffrey Sarver that he was the person depicted in the film. The original claim included claims for violation of publicity rights, defamation, false light and intentional infliction of emotional distress, but most of those claims had been dismissed earlier in the proceedings.

For filmmakers, the case is particularly important because the California district court awarded the defendants attorneys’ fees in the case.

As a legal matter, narrative films can certainly be held accountable for defamation if the film is “of or concerning” the plaintiff. A similar issue arose at the end of the movie, American Gangster, the Ridley Scott film starring Denzel Washington. At the end of the film a tag line read “collaboration [with law enforcement] led to the conviction of three quarters of New York City’s Drug Enforcement Agency.” In reality, according the defamation suit opinion, Lucas’ cooperation, “did not lead to the conviction of a single agent of the New York City office of the USDEA or any member of the NYPD, or any other law enforcement official in New York or elsewhere.” Unlike many of the defamation lawsuits, the filmmakers were clearly caught making an outright fabrication. In this case, however, the suit was dismissed because the defamation was of a large group – 400 current and former DEA agents. No particular agent was identified.

A similar threshold issue occurs in with Sgt. Sarver’s claim. Although Sarver claimed screenwriter Mark Boal based the film exclusively on him, Boal denied the allegation. “The Hurt Locker was inspired by many soldiers I met and interviewed during my time reporting in Iraq and elsewhere,” Boal wrote.

Judge Nguyen noted “[d]efendants unquestionably contributed significant distinctive and expressive content to the character of Will James.” If the character is a composite of many individuals and further transformed though the writing, directing and acting process, it is hard to show that the threshold question of “of or concerning” can be met.

There must certainly be a balance between the rights of an individual to be free of defamatory attacks and the rights of journalists and artists to express themselves. But the court here struck the right balance.

Supreme Court to Visit Role of GPS Tracking for Warrantless Searches

In the upcoming Supreme Court docket, one of the most significant decisions will involve the role of judicial oversight in the use of GPS tracking devices. Specifically, in U.S. v. Jones, 131 S. Ct. 3064 (2011) the Court will decide  “[w]hether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”

Defendant Antoine Jones was convicted of conspiracy to sell cocaine based, in part, on the use of a GPS tracking device placed on his car. The police then monitored Jones’ movements for a month. The D.C. Circuit reversed the conviction on the basis of the warrantless GPS tracking.

Jones argued the use of the GPS device violated his “reasonable expectation of privacy,” U.S. v. Katz, 389 U.S. 347, 360–61 (1967) (Harlan, J., concurring). The Katz test focuses on “whether the individual has an expectation of privacy that society is prepared to recognize as reasonable.” The judiciary provides a normative interpretation of society to determine how best to extend the obligation for warrants to situations that arise because of new technologies and new social circumstances.

Here, the Circuit Court was concerned about the 24/7 surveillance afforded to the police through the GPS tracking device. It found the constant surveillance to be different in type than the mere placing of a beeper used to follow a particular vehicle a single time, as was the case in U.S. v. Knotts, 460 U.S. 276 (1983).

Knotts is often quoted for the proposition that “[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.” Knotts, 460 U.S. at 281. But the DC Circuit rejected the analogy to tracking automobiles in public, instead choosing to analogize to the pervasiveness of an ongoing, permanent surveillance.

Other appellate courts had less concern about the GPS devices.

In U.S. v. Pineda-Moreno, 591 F.3d 1212 (9th Cir. 2010) the Ninth Circuit upheld the use of devices when used on seven different occasions. The case did not address the length of any particular tracking episode, but instead found that the undercarriage of a car was not an area with a protected zone of privacy and neither was the place where the device was affixed – in parking lots, streets, and the defendant’s driveway. The Eighth Circuit has suggested a similar outcome. U.S. v. Marquez, 605 F.3d 604 (8th Cir. 2010).

Similarly, in U.S. v. Garcia, 474 F.3d 994 (7th Cir. 2007), the court found the use of such devices unobjectionable. Judge Posner focused on the challenge of extending the law of Fourth Amendment Privacy by analogy:

If a listening device is attached to a person’s phone, or to the phone line outside the premises on which the phone is located, and phone conversations are recorded, there is a search (and it is irrelevant that there is a trespass in the first case but not the second), and a warrant is required. But if police follow a car around, or observe its route by means of cameras mounted on lampposts or of satellite imaging as in Google Earth, there is no search. Well, but the tracking in this case was by satellite. Instead of transmitting images, the satellite transmitted geophysical coordinates. The only difference is that in the imaging case nothing touches the vehicle, while in the case at hand the tracking device does. But it is a distinction without any practical difference.

U.S. v. Garcia, 474 F.3d at 997. Looking at the conduct rather than the technology, Judge Posner stated “[t]he substitute here is for an activity, namely following a car on a public street, that is unequivocally not a search within the meaning of the amendment.”

This analogy was rejected by the D.C. Circuit. There the opinion emphasized the practical limitations. “Continuous human surveillance for a week would require all the time and expense of several police officers, while comparable photographic surveillance would require a net of video cameras so dense and so widespread as to catch a person’s every movement, plus the manpower to piece the photographs together.” At the same time, however, the court recognized the disappearance of technological barriers to tracking, noting that “the marginal cost of an additional day — or week, or month — of GPS monitoring is effectively zero. Nor, apparently, is the fixed cost of installing a GPS device significant; the Los Angeles Police Department can now affix a GPS device to a passing car simply by launching a GPS-enabled dart.”

The opinions have all avoided the next question – whether similar tracking using satellites and public cameras to pervasively track a vehicle or a person in public constitutes a search.

In November, the oral arguments before the Supreme Court will provide an indication of the direction the Court is leaning. The Court did not grant certiorari for those cases upholding the searches as lawful, but that is not a particularly strong indicator. On the other hand, a decision that this particular technology requires a search warrant merely begs the question for RFID chip readers, tracking data in toll-paying devices, tracking data stored in cell phones, and tracing movement using facial recognition software on cameras installed in public places.

The ironic result of decisions invoking Katz is that the Court does not have the ability to learn what the public’s expectation of privacy is nearly as much as it has the power to inform the public what expectation of privacy it now should have.

Hopefully, the Court will move beyond the discussion of how the GPS device was attached to the car to focus on the question of pervasive tracking of citizens by the police. To analogize from the beeper in Knotts is unhelpful. Instead the Court should – and likely will – return to the first principles of Katz regarding the public’s reasonable expectation of privacy.

Undoubtedly technology will only make it easier to track individuals and record their behavior. The Court’s decision will set the agenda for discussion of privacy policy and inevitably shape the norms for our privacy expectations.

Registration now open for Social, Mobile, Local

Registration now open for Social, Mobile, LocalTechnology Trends, Tools, and Strategies for Small Business Success

Wednesday, October 26, 2011

The NKU Small Business Development Center, in conjunction with the NKU Chase Law & Informatics Institute, will sponsor a technology conference for small business owners and entrepreneurs. The day-long program will feature Ramon Ray, editor and technology evangelist at Smallbiztechnology.com; David Sevigny, president of DMD Data Systems, Inc.; Eric Spellmann, owner and president of Spellmann & Associates; and Professor Jon Garon, director of the Law & Informatics Institute

To register for the conference, visit http://somolonky.eventbrite.com.