Two days until NKU Law Review Symposium on Law & Informatics

The Northern Kentucky Law Review will host the inaugural Law & Informatics Symposium on March 1-2, 2012, presented in association with the NKU Chase Law & Informatics. Offering cutting edge presentations and 10.5 hours of CLE the symposium is sure to provide an important addition to the growing understanding of the intersection between law and information systems around the globe.

Limited seating is still available. See  https://supportnku.nku.edu/ChaseLII for details.

Your registration fee includes the general and special sessions, breakfast and lunch, as well as all published materials.

This two-day conference will gather academics, lawyers, and industry leaders from throughout the United States, Europe, and Asia to focus on cutting-edge issues involving data privacy, cyber-security, international trade, and internet regulation.

The first day’s topics will include criminal justice and the media, antitrust, HIPAA/HITECH Act compliance, GLBA reporting, social media marketing, and international internet regulations. The second day will include international cyber-crime cross-border transactions, international publicity, cyber currency, privacy legislation, and many related topics.

The Symposium is an opportunity for academics, practitioners, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. The agenda is available online at http://chaseinformatics.org/symposium/.

Speakers:

  • P.J. Blount, National Center for Remote Sensing, Air, and Space Law, University of Mississippi School of Law
  • Galina Borisevich, Perm State University, Russian Federation
  • Eric Chaffee, University of Dayton School of Law
  • Natalya Chernyadyeva, Perm State University, Russian Federation
  • Jorge Contreras, American University Washington College of Law
  • Evelina Frolovich, Perm State University, Russian Federation
  • Vaibhav Garg, Indiana University School of Informatics and Computing
  • Anne Gilliland, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • David Harris, Harvard Law School Charles Hamilton Houston Institute for Race and Justice
  • Henry Judy, K&L Gates
  • Kalyan C. Kankanala, Brain League IP Services Ltd. (India)
  • Deborah Keeling, University of Louisville College of Justice Administration
  • Michael Losavio, University of Louisville College of Justice Administration
  • Rachel Lyon, Northern Kentucky University College of Informatics
  • Jasmine McNealy, Syracuse University S.I. Newhouse School of Public Communication
  • Mark McPhail, University of Wisconsin-Whitewater College of Arts and Communication
  • Svetlana Polyaskya, Perm State University, Russian Federation
  • David Satola, The World Bank
  • Susan Stephan, Kretsch & Gust PLLC
  • Lauren Solberg, Meharry Medical College
  • Judith Wiener, The Ohio State University College of Medicine SBS-Biomedical Informatics
  • Peter Yu, Drake University School of Law

For details, registration, and additional restrictions please see http://chaseinformatics.org/symposium/ or call 859.572.7577.

General Pricing: $395  – Same Day Rush: $200

Alumni Pricing: $295   – Same Day Rush: $200

Academics & Students not affiliated with NKU: $50 – Same Day Rush: $10

Cybersecurity Act of 2012 Puts Focus on the Shadow Wars

On February 14, 2012, a 205 page comprehensive new Cybersecurity Act of 2012was introduced in the Senate to address the growing concerns about cyber-warfare, cybersecurity, and cyber-terrorism. The bipartisan Cybersecurity Act of 2012 is co-sponsored by Senators Joe Lieberman (I-Ct), Susan Collins, (R-Maine) Jay Rockefeller (D-WV) and Diane Feinstein (D-Cal) to address the potential gaps in the critical U.S. infrastructure. As defined in the USA Patriot Act,

[T]he term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The proposed law expands on the USA Patriot Act and existing presidential directives to provide sector-by-sector assessment, standards and regulations to improve these assets. Presently, the DHS provides utterly circular guidance on the existing directives. Hopefully, the new proposal will at least increase the awareness within these sectors for comprehensive security.

The proposed legislation defines ‘‘cyber risk’’ as “any risk to information infrastructure, including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure essential to the reliable operation of covered critical infrastructure.” The information infrastructure is the privately owned communications systems located in the U.S., presumably including everything from telephones and cable to Facebook and Google.

 Howard Waltzman suggests that a critical infrastructure system or asset may be deemed “covered” only if damage or unauthorized access to the infrastructure could lead to:

  • The interruption of life-sustaining services (e.g. food, energy, or emergency services) sufficient to cause a mass casualty event or mass evacuations;
  • Catastrophic economic damage to the United States, including failure or disruption of a US financial market or sustained disruption of a transportation system; or
  • Severe degradation of national security capabilities.

Ninety days following the passing of the legislation, a sector-by-sector review of the critical infrastructure will provide a prioritized list of the most at-risk systems.

There are significant exemptions in the law to protect private vendors (perhaps security software companies, search engine providers, and social media networks) so that particular products cannot be singled out. Similarly, there is a weak attempt to provide free speech protections to the system and to protect technologies based solely on their ability to be used in critical infrastructure.

The timing of the legislation is particularly interesting in light of the recent cyber attack in Israel by a Saudi Arabian hacker and retaliatory credit card hacking by an Israeli against the Saudi banks.  Attacks against Google and US defense contractors allegedly by Chinese sponsored hackers raised similar concerns.

Moreover, a stealth war with Iran appears to be heating up, including the assassinations of government scientists and public officials, increased sponsorship of terrorism targeting soft targets, and heightened war rhetoric.

As with the SOPA and PROTECT IP Act, the critical issue will be focus on the primary risks rather than political maneuvering for legislators to prove who is the toughest on the perceived threat. The costs for upgrading critical infrastructure will likely be immense; the complexity will be monumental; and the challenges significant. Where our nation is at risk, these steps must be taken. But the process must include some caution and common sense so that the process is moderated and proportional to the outstanding threats.

Google, EPIC and the Values of Disaggregation

On January 24, 2012 Google announced the significant revamping of its privacy policies, consolidating the policies to a single, comprehensive approach. The simplicity of the policy is undoubtedly good news for the legions of users who pay attention to such issues.

The bad news is that not only are the policies consolidated, so is the underlying data. Google, which runs dozens of discrete services will be integrating the data collection into a single, comprehensive and interconnected data set – the ultimate Big Data of consumer behavior. The reason is simple: Google’s revenue is tied exclusively to advertising. The better the data integration, the more valuable each ad is when served to a prospective customer.

Google has thus far ignored EU requests to delay the roll-out. Instead, Google insists that any delay would cause more confusion. Instead, in a lengthy response,  Google explained reason behind the merging of several policies into one. Among the features, better integration will support is integrated usage.

Our ability to share information for one account across services also allows signed-in users to use Google+’s sharing feature –called “circles”– to send directions to family and friends without leaving Google Maps. And a signed-in user can use her Gmail address book to auto­complete an email address when she’s inviting someone to work on a Google Docs document.

The answers, however, do not respond to the duties of Google under last year’s FTC consent decree regarding the ill-fated launch of Google Buzz. the Electronic Privacy Information Center (EPIC) has sued to force the FTC to enforce the consent decree and thwart the new privacy policy.  The District Court is scheduled to hear the case in advance of the March 1, 2012 launch date.

According to EPIC’s Complaint, Google has violated a number of its consent decree obligations:

  • Misrepresenting the extent to which Google maintains privacy and confidentiality.
  • Misrepresenting the extent to which Google complies  with the U.S.-EU Safe Harbor Framework and data security obligations.
  • Providing adequate notice and consent to changes in Google privacy policies.

The critical commentary has been mixed, with some finding the changes a tempest in a teapot while other analysts expressing greater concern.

Perhaps most troubling is Google’s own set of comments:

So, here’s the real story:

  • You still have choice and control. You don’t need to log in to use many of our services, including Search, Maps and YouTube. If you are logged in, you can still edit or turn off your Search history, switch Gmail chat to “off the record,” control the way Google tailors ads to your interests, use Incognito mode on Chrome, or use any of the other privacy tools we offer.
  • We’re not collecting more data about you. Our new policy simply makes it clear that we use data to refine and improve your experience on Google — whichever products or services you use. This is something we have already been doing for a long time.
  • We’re making things simpler and we’re trying to be upfront about it. Period.
  • You can use as much or as little of Google as you want. For example, you can have a Google Account and choose to use Gmail, but not use Google+. Or you could keep your data separate with different accounts — for example, one for YouTube and another for Gmail.

Privacy on Google requires turning its services off, operating in Incognito mode, creating multiple accounts or avoiding the products.  Google is increasingly transparent. It does not wish to provide privacy and will make private transactions increasingly difficult. That the data has always been collected is true; that Google can exploit it more effectively is perhaps the real story – and real danger.

The approach is the opposite of the FTC privacy-by-design imitative. Almost everything one does will be tracked. Suddenly search has become quite expensive.

NLRB updates reports on social media: Gripes not protected unless they are concerted; lesson is to Gripe with Friends

In August, NLRB Acting General Counsel Lafe Solomon released a summary report of National Labor Relations Board hearings involving social media. In the first report, four of the decisions found that employees were improperly fired for their online social media activity while five of those cases found no improper discharge. [I previously reported on this for the Cincinnati Bar Association – Recent NLRB Administrative Decision Affirms Board.]

The NLRB has updated the report with a new memo. As reported by the NLRB news release, the “Operations Management Memo covers 14 cases, half of which involve questions about employer social media policies. Five of those policies were found to be unlawfully broad, one was lawful, and one was found to be lawful after it was revised.” The NLRB reports that approximately 75 cases have been forwarded to the agency thus far.

Consistent with the earlier report, the updated summary continues to make these broad outline:

  • Employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees.
  • An employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.

Although the report suggests that these cases are “very fact specific,” in truth the paradigm for many of these cases follows a similar pattern.

  • Step 1: An employee gets upset at work, responding by posting to Facebook, Twitter, YouTube or another social media site.
  • Step 2: Co-workers see the post. If they respond and suggest some action be taken against the employer, the posting will likely be considered concerted employee activity. If the co-workers do not respond (or make vague supporting comments like “hang in there,”) there will be no concerted activity and the employees complaint – typically expletive laden – will be unprotected.
  • Step 3: The employer will meet with the employee, identify the provision in the employment policies that identify either specific or general statement barring unprofessional behavior, and fire the employee.

At the NLRB, the first question is whether the posts are protected concerted activity within the meaning of Section 7 of the National Labor Relations Act. The conversation met the test as protected concerted activity because the posts were related to the terms and conditions of employment.

Section 7 of the Act (29 U.S.C. §157) provides that

employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection

The challenge for griping employees seems to be that the statement itself is not what will typically define protection in these cases. Of course, were the employee to start their social media post with “let’s get together to plan our unionizing strategy” such a post would be protected, even if ignored by fellow employees. But when an employee is swearing about one’s employer or fellow employee’s, the protection will depend on whether someone in the social circle responds with a suggestion that something affecting working conditions be done to address the problem.

For employees who post in frustration, the alternatives are to remove the post quickly or to be sure the post becomes part of a broader conversation on working conditions and employer engagement.

The second issue is the breadth with which the employment handbooks are being drafted. Policies that ban social media, ban the use of the employee’s affiliation with their employer or prohibit “inappropriate” language and behavior are too vague and overbroad to support a termination. Saving language that references the National Labor Relations Act without explaining what such reference entails, will not typically save the overly broad provisions. Instead, the policy should be more realistically tailored to prohibit the types of misconduct that are most likely to result in discipline or termination.

The NLRB press release also identifies three cases involving social media questions currently pending which will provide additional insights into this area. The cases can be found here, here, and here.

Facebook IPO raises interesting legal disclosures

Companies engaging in public markets are under tremendous scrutiny as well as legal obligations to provide all material information related to the sale of those securities. In addition, beginning October 13, 2011, the SEC provided specific guidance on the types of cyber-security issues that must be disclosed to the public markets in various statements and offerings.

So it should come as no surprise that Facebook has provided the public a comprehensive blueprint for disclosure of all possible risks that might occur to a publicly traded social media enterprise in its initial IPO filing (its S-1 Registration).

In his Internet Cases blog, attorney Evan Brown noted that Facebook lists 40 risk factors. His informative blog describes six of the more interesting legal disclosures in the Facebook IPO regarding the intellectual property issues the company faces.

Among the risk factors of note were the reliance on Zynga – which accounts for 12% of company revenue, challenges of scalability, and the risk associated with the development of Facebook’s own technology.

  • We recently began to own and build key portions of our technical infrastructure, and, because of our limited experience in this area, we could experience unforeseen difficulties.

In 2011, we began serving our products from data centers owned by Facebook using servers specifically designed for us. We plan to continue to significantly expand the size of our infrastructure, primarily through data centers that we design and own.

Facebook also recognized the significant challenges created by intellectual property ownership – both as an owner of those assets trying to protect them – and as a target for others trying to cash in (since others could not be justifiably defending their own rights).

  • We are currently, and expect to be in the future, party to patent lawsuits and other intellectual property rights claims that are expensive and time consuming, and, if resolved adversely, could have a significant impact on our business, financial condition, or results of operations.

Companies in the Internet, technology, and media industries own large numbers of patents, copyrights, trademarks, and trade secrets, and frequently enter into litigation based on allegations of infringement, misappropriation, or other violations of intellectual property or other rights. In addition, various “non-practicing entities” that own patents and other intellectual property rights often attempt to aggressively assert their rights in order to extract value from technology companies.

Perhaps the most interesting disclosure is the attitude exhibited for rights of privacy and publicity.

  • Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in claims, changes to our business practices, increased cost of operations, or declines in user growth or engagement, or otherwise harm our business.

Certainly one can understand the pressure Facebook feels to comply with privacy laws and keep up with the FTC practices that require privacy policies be respected and changes to those policies be enacted only after adequate notice.

Is it then at odds with the company to value itself at $100 billion if the value of its assets are so uncertain and complex? The risk does not seem to be diminishing the company from seeking the reward. So perhaps the risk factor serves another purpose – to suggest that any changes resulting in increased privacy protections are harmful to the economy and the country.

Either way: Buyer beware.