Can Sony get around the First Amendment to sue the media over the hack? (Eriq Gardner, 15 Dec 2014) – On Sunday night, famed attorney David Boies sent a threatening letter on behalf of Sony Pictures toThe Hollywood Reporter , The New York Times and other news organizations demanding destruction of stolen information and warning of consequences for publishing the company’s secrets. If Sony does decide to go to court against the media over revelations that keep coming – Channing Tatum and Chris Pratt wish to rebootGhostbusters , George Clooney lost faith in The Monuments Men , Sony executives weren’t thrilled by Leonardo DiCaprio dropping out of a Steve Jobs biopic – the First Amendment stands as a roadblock. But maybe not an impenetrable one. Many attorneys are now carefully reading every word from a 2001 Supreme Court decision,Bartnicki v. Vopper . The case concerned union officials whose intercepted cell phone conversations landed in the hands of a radio commentator who broadcast the contents. At the high court, the media defendants were given a pass from violating a federal wiretap law as they “played no part in the illegal interception,” “their access to the information on the tapes was obtained lawfully, even though the information itself was intercepted unlawfully by someone else” and finally, “the subject matter of the conversation was a matter of public concern.” That decision offers tremendous hope for news organizations that Sony’s threats against the news media are empty. “Unless the media is involved in the hacks themselves, the Bartnicki case puts the law on the side of the media,” says Andy Sellars at Harvard University’s Berkman Center for Internet & Society. However, some caution might be in order for two reasons.

 

Provided by MIRLN.

Image courtesy of Creative Commons / Mr. TinDC

 

The FCC takes a seat at the cyber-regulation table (Cyber Risk Network, 8 Dec 2014) – The FCC recently slid up its chair to the fiscal feast that is cyber security and data breach regulation and took a hefty piece of the pie. In late October the FCC announced that it charged a record $10 million fine against two telecommunication companies after the telecoms reportedly posted the private information of nearly 300,000 people in a manner making the people eligible for identity theft. Taking a cue from the Federal Trade Commission (“FTC”), the FCC action was not based on any new set of concrete regulations or laws established to give organizations a minimum bar for data protection, but rather on existing FCC powers established under the Communications Act of 1934. The action serves as good warning not only to communications providers that the FCC will be examining data breaches and, more expressly, data storage issues, but also that in the absence of clear cybersecurity regulations, federal agencies will take an expansive view of their existing authority to address cybersecurity-related incidents involving companies subject to their jurisdiction. Similar to the FTC’s response, the FCC’s first foray into data beach regulation was born from its interpretation of its existing authority under the Communications Act of 1934 (the “Act”). Under the Act, the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, under 503(b)(1) of the Act, the FCC is authorized to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.” As the FCC described in its Notice of Forfeiture, that is exactly what two companies did, YourTel America and TerraCom Inc., when they collected the data of up to 300,000 customers to determine eligibility for the FCC’s low-income discount phone program, “Lifeline.” In order to enroll, potential participants had to demonstrate eligibility by submitting personal information to the Companies, including the applicant’s name, address, date of birth, social security number, and driver’s license information. Between September 2012 and April 2013, the FCC alleges that applicants’ information was stored on data servers that were publicly accessible via the Internet, a fact made known to the FCC after reporters from the Scripps Howard News Service advised the FCC that they were able to access at least 128,066 confidential records by using a simple Google search. Acting under the authority provided by the Communications Act, as amended by the Telecommunications Act of 1996 , the FCC charged the Companies with violations of Sections 222(a) and 201(b) Under 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . .. customers.” Similarly, 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to its “practices,” such as, in this case, holding customers’ “proprietary information.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/SergeBerstasiusPhotography

 

Germany’s top publisher bows to Google in news licensing row (Re/Code, 5 Nov 2014) – Germany’s biggest news publisher, Axel Springer, has scrapped a bid to block Google from running snippets of articles from its newspapers, saying that the experiment had caused traffic to its sites to plunge. Springer said a two-week-old experiment to restrict access by Google to its news headlines had caused Web traffic to its publications to plunge, leading it to row back and let Google once again showcase Springer news stories in its search results. Chief Executive Mathias Doepfner said on Wednesday that his company would have “shot ourselves out of the market” if it had continued with its demands for the U.S. firm to pay licensing fees. Springer, which publishes Europe’s top-selling daily newspaper, Bild, said Google’s grip over online audiences was too great to resist, a double-edged compliment meant to ram home the publisher’s criticism of what it calls Google’s monopoly powers. Publishers in countries from Germany and France to Spain have pushed to pass new national copyright laws that force Google and other web aggregators to pay licensing fees – dubbed the Google Tax – when it publishes snippets of their news articles. Under German legislation that came into effect last year, publishers can prohibit search engines and similar services from using their news articles beyond headlines. Last week, Spain’s upper house passed a similar law giving publishers an “inalienable” right to levy such licensing fees on Google.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/KROMKRATHOG

 

 

 

British intelligence spies on lawyer-client communications, government admits (GigaOM, 6 Nov 2014) – After the Snowden leaks, British lawyers expressed fears that the government’s mass surveillance efforts could undermine the confidentiality of their conversations with clients, particularly when those clients were engaged in legal battles with the state. Those fears were well-founded. On Thursday the legal charity Reprieve, which provides assistance to people accused of terrorism, U.S. death row prisoners and so on, said it had succeeded in getting the U.K. government to admit that spy agencies tell their staff they may target and use lawyer-client communications “just like any other item of intelligence.” This is despite the fact that both English common law and the European Court of Human Rights protect legal professional privilege as a fundamental principle of justice. Reprieve noted that the government had previously claimed three times that it could not disclose the information it has now disclosed (PDF) in heavily redacted form. According to that information, the acceptability of spying on lawyer-client communications is largely backed up by the Regulation of Investigatory Powers Act (RIPA), which was recently revised to allow surveillance of all sorts of online channels , as well as of phone calls and emails.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles

 

 

McPeak on social media & civil discovery (Legal Theory Blog, 14 Nov 2014) – Agnieszka McPeak (University of Toledo College of Law) has posted Social Media Snooping and Its Ethical Bounds (Arizona State Law Journal, 2014 Forthcoming) on SSRN. Here is the abstract: Social media has entered the mainstream as a go-to source for personal information about others, and many litigators have taken notice. Yet, despite the increased use of social media in informal civil discovery, little guidance exists as to the ethical duties – and limitations – that govern social media snooping. Even further, the peculiar challenges created by social media amplify ambiguities in the existing framework of ethics rules and highlight the need for additional guidance for the bench and bar. This article offers an in-depth analysis of the soundness and shortcomings of the existing legal ethics framework, including the 2013 revisions to the American Bar Association’s model rules, when dealing with novel issues surrounding informal social media discovery. It analyzes three predominant ethics issues that arise: (1) the duty to investigate facts on social media, (2) the no-contact rule and prohibitions against deception, and (3) the duty to preserve social media evidence. While the first two issues can be adequately addressed under the existing framework, the rules fall short in dealing with the third issue, preservation duties. Further, even though the existing ethics rules can suffice for the most part, non-binding, supplemental guidelines, or “best practices,” should be created to help practitioners and judges navigate the ethical issues created by new technology like social media.

 

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/worradmu

Software companies now on notice that encryption exports may be treated more seriously: $750,000 fine against Intel subsidiary (Goodwin Procter, 15 Oct 2014) – On October 8, 2014, the Department of Commerce’s Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List. Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations. We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries ( e.g. , Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS’s treatment of violations of the encryption regulations. Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies – a message that BIS seemed intent upon making in its announcement. Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon – e.g. , an acquisition, financing, or initial public offering – will increase the likelihood that violations of these laws will be identified.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles