Monday, August 08, 2005
Vince Polley [picture] spoke for a few moments, discussing some Section news. He noted that this Annual is very well attended -- approximately 2200 Business Law members are here -- and that the Section is putting on 22 programs, which is far and away the most prolific of the ABA's sections. Of those 22, Cyberspace is putting on (directly or as a co-sponsor) six. On the publishing side, the Committee has produced 3 new book titles over the past year. In other words, we continue to be amongst the most productive committees in the most productive section.
Vince rattled off the upcoming meetings through the section, including Tampa in April 2006, and Honolulu in August 2006. Vince noted that the Hawaii meeting will have a modified format, including early start and stop times during the days and a smaller set of programs.
Vince handed the podium to Candace Jones, [picture] who will chair the committee going forward. Candace spoke briefly about the coming plans for 2005-2006. The Winter Working Meeting for January 2006 will be held in Wilmington, Delaware. Wilmington is a short ride from the Philadelphia airport, and can be reasonably reached from Baltimore as well. Also, Wilmington is on the Amtrak Acela train, so those in Boston, New York and D.C. (and points in between) have easy access.
Candace noted a few leadership and sub-group changes. Michael Fleming [picture] will be Vice Chairing the Committee, Juliet Moringiello will be Chair of the Publications Subcommittee, and Mattias Hallendorf will be the Co-Chair of the Transferability of Electronic Financial Assets Working Group (a joint project with the UCC Committee).
The Working Group on Spam will be re-purposed to a degree and renamed as the Working Group on Malware. Elizabeth Bowles [picture] will continue to chair the WG. It will expand its portfolio beyond spam and into the wider concept of 'malware' -- put in quotes because task one is probably how to define it.
A new Subcommittee on Privacy, Security & Data Management will be co-chaired by Peter McLaughlin and Michael Power.
After the short remarks, Candace handed off the meeting to our five (!!!) hot topics speakers, who each had to compress their remarkably dense topics into about 15-20 minutes each.
Rhea Fredericks gave a short synopsis of the recent decisions in the Zubulake and similar matters concerning electronic discovery, and particularly corporate obligations to retain and preserve evidence.
Michael Geist spoke on his views of the WGIG report on Internet governance, which included a short history of the governance of the Internet that led up to today's concerns.
John Ottaviani reviewed the Grokster decision and had some thoughts on where we go from here in the P2P world.
Elizabeth Bowles presented some early thoughts on the malware concept, including the ideas around how we can start to define the idea.
Steven Middlebrook spoke on his own personal views of the current controversies on patenting within the financial industry.
Sunday, August 07, 2005
If any of you are not pictured, and you'd like your picture added, please track down Fleming or me, and we'll take a photo of you and add it.
If any of you who are pictured don't want to be, let us know, and we'll take down your picture.
Fleming and I made the pilgramage to Chicago's coffee palace, Intelligentsia. The coffee was so good, we didn't even mind the $20.00 we spent in cab fare to get there and back.
We started with an order that confused the gal behind the counter; we each ordered a single espresso and a single macchiato. We quaffed those very quickly, and immediately followed up with another order. Fleming went for the latte pictured here. I ordered a traditinal cappuccino.
We sat and enjoyed the place for a bit, and then we headed back. I couldn't leave without taking a bit more of the store with me. We'll see how well the pound of whole bean espresso does in my home espresso machine.
At the Cyberspace Dinner, the Committee presented a retirement/thank you gift to Vince Polley to say thanks for his tremendous service as a member, and then Chair, of the Cyberspace Law Committee. As Hank and Michael Fleming described in lengthy detail (see earlier post), the group finally agreed upon a very low-tech gift--a book!
The Cyberspace Dinner was one of the best ever. The evening started with (SURPRISE!) an open bar, courtesy of the law firm Gordon & Glickson. (Thanks Steve). A big thanks also goes to Jackie Scheib for all the hard work she put into setting up the dinner at Wildfire.
It was a thoroughly enjoyable evening.
A great time was had by all, as we awarded the Cyberspace Award for Excellence, honored our departing chief, and welcomed the new boss. Let us remember the night with a few photos.
Mark, Michael, Candace and Vince
Susan and Jason Epstein brought along their new twins
Jason holds our Committee's newest member
John and Chris
Don, Jackie and Don's spouse Diane
Elizabeth and Rafael
John, Elizabeth Cole (Australian attorney practicing in Shanghai), and Hank
Brad and Jane
[more to come...}
Driving along the road here, I used my laptop to get e-mail and download video - and you can do that while cruising at 70 miles per hour, mile after mile after mile, at a transmission speed several times as fast as a T-1 line. (Note: it's preferable to do this with someone else driving.)
Author Nicholas Kristof noted the irony of a rural area in Eastern Oregon pulling this off while bigger cities are still stuck in the mud. I suspect we shall see this issue (or similar concerns about next generation wireless broadband such as WiMax) coming up more and more in the next years.
Saturday, August 06, 2005
E. Michael Power, Roland Trope, Francoise Gilbert
The panel members used the metaphor of a submarine to describe data management and its risks to members of boards of directors. The panel provided a good overview of the various sources of law that make data security an increasingly important issue for companies. Moreover, the panel argued for increased attention to these issues by Boards of Directors of large and small companies.
This session demonstrated how data, its management, and security, is a common thread that runs through many of the programs at this year's meeting. The lack of attention to data management is a common source of many coroprate challenges:
- data privacy issues
- the difficulty of many companies to cope with the challenges of ediscovery
- data security breaches and the obligation to notify consumers of the breaches
Michael Power made my favorite comment of the session. To paraphrase: "You can batten every hatch on your boat, and it's still going to get in. That's what bilge pumps are for. Data is just like water. You may think you've got a handle on where your data is stored and how it is secured, but, just like water, it goes everywhere."
Seminar Materials are available here. [ABA ID Required]
The meeting opened with the announcement that Juliet Moringiello is stepping down as Co-Chair, having reached the end of her three-year term. In her new role as Co-Chair of the Programs and Publications Subcommittee, the entire Cyberspace Committee will reap the benefits of her leadership talents and enthusiasm. Chris Kunz will be the new Co-Chair of the Ecommerce Subcommittee. Chris has been the driving force behind the impressive body of work on "click wrap" and "browse wrap" agreements produced by the Working Group on Econtracting Practices during her tenure as its Co-Chair. The timing is especially good for Chris to shift into the Ecommerce Subcommittee because of her interest in the Model Trading Partner Agreement and the Subcommittee's newest project, the Model Electronic Transaction Routing Services Agreement.
The meeting proceeded with a round-up of the Subcommittee's on-going projects. We were fortunate that Co-Chairs of all five Working Groups were in attendance to present status reports.
- Linda Rusch summarized the progress that the Working Group on Transferable Records has been making on their attempt to give practical direction on how to establish "control" over electronic chattel paper.
Elaine Ziff made a presentation on two ecommerce decisions which were handed down in the past year. The first was
The remainder of the meeting was dedicated to discussing the Model Electronic Transactions Routing Services Agreement. Phillip Schmandt and Chris Kunz led the group through their list of key conceptual questions, including, what is the difference between data and content, and what intellectual property, if any, will be created in the parties' relationship and who should own it? Between now and the Winter Working Meeting, a series of conference calls will be scheduled to go over the Model Electronic Transaction Routing Services Agreement in greater detail and focus on the actual language of the Agreement. If you would like to participate, please let Phillip or Chris know at firstname.lastname@example.org and email@example.com.
Elaine Ziff, Co-Chair, Electronic Commerce Subcommittee
This panel included speakers with a wealth of information about the current state of information security breach notification laws, the experiences of companies who have suffered a breach, and the legislative response to this situation.
Here are a few highpoints of many of the presentations.
Assistant Attorney General, Vermont
Ms. Brill briefly reviewed some of the litigation filed by state Attorneys General in response to companies failing to provide notification to citizens of a state when the companies suffer security breaches. The CDRom for the Annual Meeting contains the testimony presented by the State Attorneys Generals at the recent hearings on consumer notification. That testimony includes a comprehensive list of the known security breaches that affected consumer accounts. She estimated that approximately 50 million consumers have been affected by security breaches.
Ms. Brill encouraged everyone to read the new state breach notification laws to ensure they can appreciate the subtle variety in the laws. She also commented that some of press reports about the new states laws have contain inaccuracies. To the extent the state notification laws differ, she felt the differences were largely in respect to how much of the OCC guidance was included in the state law.
Ms. Brill also summarized what she thought were the differences between the OCC Guidance and the majority of the state laws:
- The definition of the information that triggers an obligation to notify is broader in the OCC Guidance
- The language that describes whether notice must be given is more ambiguous
- The OCC Guidance requires notification whether the information acquired was encrypted or not
- The OCC Guidance also covers paper information as well as computerized information
She commented that the argument that the state laws lack uniformity is a red herring. She believes the state laws are similar enough that we have, effectively, uniform legislation.
She also does not agree there is a risk that consumers may become “numb” from receiving security breach notifications too often. She believes consumers are responding appropriately and that they are right to be very concerned about these breaches. She believes the breach notifications are an incredible educational tool that are beginning to help consumers learn what they must do to protect themselves from the risks of Identity Theft. Until American business changes its practices and improves the security of consumer information, the breach notifications will continue to be a good tool that has value.
She commented that most of the states want a federal security breach notification law. They believe the federal law should address two important points. First, the trigger for providing notice ought to be objective, not subjective, like the OCC Guidance. The states don’t want the entity that suffered a breach to decide if notice must be given. Second, the states don’t believe preemption is necessary.
Finally, she commented that the states want an expansion of the Safeguards Rule. They do not believe the current rule is strong enough, and should be modified to cover all entities that store or process sensitive consumer information, not just financial institutions that are currently covered by GLB.
[More to follow after lunch]
Friday, August 05, 2005
Sarah Jane Hughes and Bob Ledig opened discussion of the FDIC's forthcoming proposals regarding stored value cards and the deposit insurance coverage (if any) of the underlying funds. A fascinating discussion followed with the group continuing to work out the implications. The group is going to provide some further detail in a followup e-mail to the Committee, and suggest that many of the members could be interested in providing their own comments to FDIC.
John Lunseth and Rae Cogar opened the meeting.
John reminded us that Rhea Fredrics from Kroll Ontrack will be speaking to the plenary session on Saturday morning -- one of the Hot Topics will be some recent electronic discovery matters.
John solicited further volunteers for the series of monographs that the WG plans to produce. In light of the Zubalake decisions, he thinks that a great opening would be a monograph for companies on their policies for preserving evidence in the face of potential litigation. The group spent some time discussing the concepts -- Including some who noted their frustration with trying to advise clients who are going to be unhappy with the practical results of these new rules. John says that the issues for the monograph should be:
1) When does the duty attach?
2) What do we need to preserve?
The Committee's first program for the 2005 meeting has begun -- Outsourcing: Getting it Right the First Time. CLC member Stephen Hollman chairs the program, and is speaking on, using his phrasing, Service Level Arrangements. He points out the many ways that attorneys can, in their zeal to get the most they can out of a vendor, have often created static and non-relevant SLAs that lead to problems such as Stephen's concept of "Death by Metrics." Stephen pointed out an amazing statistic given by an Accenture analyst -- That 70% of outsourcing contracts are re-negotiated within 3 years, which demonstrates to some degree that many of those contracts were not written with the idea of 'partnership' between the vendor and buyer but were written as an adversarial exercise.
Chicago's own Diana McKenzie from Neal Gerber and Jonathan Kaplan from Accenture both spoke to processes of how to get into an outsourcing program. Diana pointed out the value of doing much of the ground work before sending out an RFP, keeping the vendors on their toes by maintaining dual track negotiations, and controlling the agenda by such tactics as having the proposed contracts in the RFP. While many buying companies think they are saving time or costs by putting off those things, Diana clearly felt that those savings were illusory because the deals that result are usually favorable only to the vendor (or worse, only to the vendor's sales person's pocket).
Stephen Mathias, attorney from Kochar & Company of Bangalore, India, gave a wealth of practical tips on contract points that need to be addressed with offshore outsourcing. His written materials for the program should be consulted as part of any lawyer's checklist if a deal is being struck with an Indian vendor -- If only for learning the significantly different legal rules for transfer and assignment of intellectual property between US and Indian systems.
Stephen Gold -- Who completes the trifecta of Stephens -- Joined the panel from Gordon and Glickson of Chicago (which firm is also a sponsor of our Cyberspace meeting this summer). He had a number of tips on avoiding further pitfalls if one is buying an outsourced service. One of his mantras was the idea that one "cannot outsource responsibility." The buyer remains holding the bag when it comes to internal controls necessary for SarbOx, the obligations of confidentiality for GLBA, and any number of other things. He pointed out that the first response to that is frequently a vendor claiming SAS-70 compliance, but that this by itself is not enough given that some SAS70s will be very shallow, and may actually do nothing more than memorialize how poor the vendor's own internal controls are.
Finally -- The program concluded with a mock negotiation over a hypothetical outsourcing contract. One side of the room advised the buyer, the other side advised the seller. Rather than devolve into a food fight lobbed over the aisle, the audience negotiated together with their counterparts on the podium. Much emphasis was placed on concepts of actually making a deal that works rather than simply proving which side could beat up the other. We might never find out if this hypothetical company would succeed in this deal, but the panel certainly put it in a better position.
Wednesday, August 03, 2005
I just got back from an extended set of meetings, the first of which was a two-week negotiation that concluded the new Uncitral E-Commerce Convention. [For the Chicago meeting,] we have two main topics.
First, whether Cyberspace should support implementation of the new UN Convention, and if so, what position would we consider on any possible changes to UETA but especially the Federal E-Sign and Global E-Commerce Act? Are there "fixes" to the Federal Act we should promote?
Secondly, should we seek to use the new convention to harmonize e-commerce basic law within Native American or other US-related territories?
Hal (Burman, Harold S [BurmanHS@state.gov])
Tuesday, August 02, 2005
To keep up with the tradition, I am scheduling a "Coffee Event" for interested members and friends of the Committee while we're in Chicago. Intelligentsia, a "famous" Chicago espresso shop is only 3.4 miles up LakeShore Drive from the Drake Hotel.
Those of you who've joined me on these coffee excursions in the past know that I try to seek out only the best espresso, and this year's destinatin should meet or exceed that standard. Barristas from Intelligentsia recently took first, second, fourth, and fifth place in the Great Lakes Regional Barrista Championship. And, Intelligentsia was selected Best of Chicago in the annual Citysearch poll. People, we're in for some good espresso.
I'll review the schedule, poll some of our members, and select a good time slot for the visit. As of now, I think a good time would be after the Committee Dinner on Saturday night. Use the Comment feature if you'd like to offer up an alternative time slot.
Here are some links if you're interested in learning more:
Intelligentsia Coffee House
Directions from the Drake to Intelligentsia's Broadway Store
CitySearch.Com's Poll Results on Coffee Houses
Intelligentsia's Articles on Latte Art
"Heralded as the 'Grand Daddy' of American art festivals, the Gold Coast River North Art Fair embarks this summer on its 48th year of wowing Chicago. As one of the most highly attended art fairs in the city, The Gold Coast River North Art Fair annually attracts over 400 juried artists and 600,000 visitors from locations around the world. The free festival is set along city streets and sidewalks in the gallery-filled River North neighborhood; a world-class creative and cultural experience!"
For more information, visit http://www.amdurproductions.com/gold-coast.html.
[from John E. Ottaviani (firstname.lastname@example.org)]
Unfortunately, the Drake and Westin are a bit north of the "Loop" and so they don't quite get to the trains themselves.* Still, a ride on the Blue Line from O'Hare or the Orange Line from Midway, followed by a short (relatively) cheap cab ride to the hotel (Chicago is a "hail a cab" town, so just get out on the curb and gesture wildly), will probably be a money saver compared to cabs all the way from the airport. And, speaking from experience, if you come in during any rush periods the trains will often get you downtown faster (particularly from O'Hare), even with the transfer to a cab at the end of the ride.
* If you really want to go on the train all the way, you can transfer to the Red Line, which is a subway that connects from the Loop trains -- watch the signs and figure out how to do the transfer. However, you'll have about a 7 block walk to go from the Chicago Street stop on the Red Line to get to the Drake Hotel.
Monday, August 01, 2005
Friday 10:00 a.m.- 12:00 p.m.
Program: Outsourcing: Doing it Right the First Time and Every Time
Westin Michigan Avenue: Governor’s Suite, 3rd Floor
Presented by the Technology Committee
Co-Sponsored by the Cyberspace
Program Chair: Steven N. Hollman
Five distinguished leaders in the outsourcing field, including a leading attorney from Bangalore, India, will discuss steps to take when presented with a proposal for outsourcing, constructing service level agreements, special issues in off-shore outsourcing, and disclosure and compliance with U.S. laws. The panel will then engage in mock (unrehearsed) negotiation of a hypothetical outsourcing transaction.
Saturday 10:30 a.m.- 12:30 p.m.
Program: Information Security and Dealing with Security Breaches
Westin Michigan Avenue: Cotillion Ballroom North & South, 2nd Floor
Presented by the Consumer Financial Services Committee
Co-Sponsored by Cyberspace
Program Chair: Joan P. Warrington
In this program, which was developed in conjunction with the Electronic Financial Services Subcommittee, representatives from Congress, the FTC, a state Attorney General and the private sector will discuss the latest laws, regulatory guidance, enforcement action and pending legislation relating to the protection of information and the obligations of entities that experience an information security breach.
Note: If you are interested in these issues, please plan to attend the meeting of the Electronic Financial Services Subcommittee.
Saturday 2:30 p.m. – 4:30 p.m.
Program: Data Governance for Company Directors
Westin Michigan Avenue: Wellington Ballroom Two, 2nd Floor
Program Co-Chairs: Roland Trope and Michael Power
This program coincides with the ABA’s release of a book of the same title written by the program co-chairs. The panel will describe the impending “perfect storm” in the information security environment, identify trends contributing to its formation and review emerging legal requirements that create data governance obligations for directors. The panel will suggest questions directors should ask management to fulfill director obligations and provide guidance for assessing management’s response.
Note: If you are interested in these issues, plan to attend the meeting of the Subcommittee on Privacy, Security and Data Management.
Sunday 8:00 a.m.- 10:00 a.m.
Program: Protecting Organizations’ Intellectual Property and Confidential Data in Outsourcing Transactions
The Drake Hotel: Michigan Room, West Mezzanine
Presented by the Intellectual Property Committee. Co-Sponsored by Cyberspace
Program Chair: Patrick J. Whalen
This program will present the risk to an organization’s IP and other private data when pursuing outsourcing and will outline strategies that companies may adopt to address these risks. Topics include an interdisciplinary strategic framework for structuring outsourcing deals, protocols for privacy protection, dispute resolution procedures and host nations’ treatment of IP.
Sunday 2:30 p.m. – 4:30 p.m.
Program: RiskEContracts: How On Line Consumer Contracts are Treated in Foreign Jurisdictions
Westin Michigan Avenue: Wellington Ballroom Two, 2nd Floor
Program Co-Chairs: John Gregory and Don Clifford
Do your consumer online contract forms travel well? Terms and conditions normal in U.S. consumer contracts may be doubtful, invalid or even illegal in countries whose legal systems you may think are familiar. Lawyers practicing in France, the UK and Canada show you the risks and how to minimize them.
Note: If you are interested in these issues, plan to attend the meetings of the Internet Jurisdiction and Global eCommerce Policy Subcommittee and the Working Group on Consumer Protection.
Monday 2:30 p.m. – 4:30 p.m.
Program: The Wonderful – And No Longer Exotic – World of Electronic Payment
The Drake Hotel: Drake Room, Upper Level
Presented by the Developments in Business Financing Committee
Co-Sponsored by Cyberspace
Program Chair: Martin Fingerhut
This program will provide a basic overview of the nature of payment obligations that are created through the Internet and other electronic media. The panel will also discuss a number of current legal and business issues, including enforceability under state and federal law, taking security on and securitizing these obligations and unique opinion issues.
Note: If you are interested in these issues, plan to attend the meeting of the Working Group on transferability of Electronic Financial Assets.
All comments and suggestions will be enthusiastically considered. Send them to email@example.com or print out a copy, mark it up on the airplane and turn it in at the Westin hotel desk for Don Clifford. The draft will be discussed at the meeting of the E-Commerce Consumer Protection working group on Saturday morning. All are welcome.
Tom Laudise (firstname.lastname@example.org) and Hank Judy (email@example.com) are the Co-Chairs of the Subcommittee and they very much welcome your participation.
The Working Group will meet in our Sunday, August 7th, from 3:30 to 4:30 a.m. in the Windsor Room (Westin Michigan Avenue, 2nd Floor).
If you cannot join us in person, we have set up a dial in number for our meeting - contact Chris or Kathy below or post a comment to the blog to get the details.
We look forward to seeing you in Chicago! Please let us know if you have any questions or suggestions!
Co-chairs: Kathy Porter (firstname.lastname@example.org) and Chris Kunz (CKunz@WMitchell.edu)