Tuesday, February 28, 2006

Dinner Reservations for the Committee Dinner in Tampa

For Spring Meeting Attendees:

Please go here if you would like to make reservations for the official Committee Dinner to be held on Saturday night April 8. Dinner will be at The Columbia Restaurant, a well reviewed place in the Ybor City area of Tampa (a streetcar ride away from the meeting site). The price, as always for Cyberspace dinners, is a very reasonable one. Be sure to join us -- And remember that advance sign-up is due by MARCH 17!

Thursday, February 23, 2006

This "Free Software" is Obviously all Just a Nefarious Plot

A representative of the Mozilla Foundation, distributors of the well-received (except in my law firm's IT department... sigh) Firefox browser, reports that representatives of the UK government recently seized a stash of illicit contraband. Copies of the Firefox browser were taken in from a business that was reselling them, and the government called to find out who would be the proper party to be involved with the prosecution of the malfeasors. The Mozilla representative tried to politely inform the officer that the activities were not only perfectly OK with them, but actually part of the plan. The response was one of dis-belief:
If Mozilla permit (sic) the sale of copied versions of its software, it makes it virtually impossible for us, from a practical point of view, to enforce UK anti-piracy legislation, as it is difficult for us to give general advice to businesses over what is/is not permitted.
The story goes on from there in predictable fashion, at least for those of us who deal with bureaucracy from time to time. Give it a read -- It's pretty amusing. (Props to Slashdot for pointing me towards this one.)

And, while you are pondering the changes sweeping across the world as Open Source, Free and other forms of software distribution continue to expand, be sure to look at two events with close ties to our own committee:
  1. Our member Prof. Jane Winn is spearheading a major seminar to be held next month at the Shidler Center for Law, Commerce & Technology in Seattle. Beyond the Basics: Advanced Legal Topics in Open Source and Collaborative Development in the Global Marketplace, will be held on March 21, 2006. The seminar will feature leading experts from around the country who will confront the most difficult issues facing attorneys advising clients on Free and Open Source Software (FOSS) licensing issues in a formal debate and in roundtable discussions. This program will explore different open source development and licensing models, and their impact on global corporate IP strategies. More information is available here.

  2. The Committee is presenting a CLE seminar at the ABA Business Section Spring Meeting in Tampa entitled Another Technology Wrinkle in M& A Practice: Open Source and Free Software. This seminar, largely designed to help the corporate practitioner and those from the IT and IP world who assist those practices, will discuss risks (real and mythical) of open source that might be part of a targeted company's portfolio, as well as techniques for due diligence in such transactions. The program is on April 6 at the Section's meeting headquarters hotel. If you have not yet signed up for the meeting, it is not too late! Go here and get your start.

Thursday, February 16, 2006

Polley's MIRLN Out for February 2006

Vince's latest edition of MIRLN is up. This effort from our past-Chair is always a great read, since he's filtered out the small stuff and left us with the major stories that all of us should have at our fingertips. CLC members should already have received a copy in their own inboxes via the CLCC-MEMS mailing list. (If for some reason that isn't working for you, get on to your MYABA page at ABANET.ORG and start hacking away on your profiles.) All others, members or not, are welcome to view the newsletter on Vince's site, and he provides instructions on how to subscribe.

In this issue, Vince featured a story from Business Insurance magazine regarding Internet Insurance issues and the gaps in coverage that are provided via standard CGL and other 'typical' business policies. Coincidence of coincidences -- The Cyberspace Committee's own Subcommittee on Corporate Aspects of Information Technology (CAIT) is presenting a two hour seminar on more or less that very topic this April at the Tampa Spring Business Section Meeting! If you haven't already signed up for the meeting and planned to join your fellow lawyers, why not? Check it out here. Note that the original two hotels have already filled up -- ABA has secured additional space though in a nearby hotel, at a great rate for Tampa, so you have no excuses.

Wednesday, February 15, 2006

FTC to Investigate Consumer Technology

BNA's Electronic Commerce & Law Report for Feb 15, 2006 is reporting that the Federal Trade Commission will hold hearings this fall to examine emerging consumer issues in the high-tech global marketplace. Quoting FTC Chair Deborah Platt Majoras, "The FTC will once again bring together the experts to engage in a robust dialogue on the state of technology and the future of consumer protection." BNA says that "Majoras told reporters that the commission will invite experts from industry, academia, and consumers groups to participate in the hearings."

The FTC has posted an announcement on its own site. At this point, we only know that the conference will be held in Washington in "Fall 2006."

Given the de facto role as a major regulator of the Internet that the FTC has taken on, CLC members should be paying close attention to this development.

Friday, February 10, 2006

Then, What is (or is not?) a Reasonable Safeguard?

The Minnesota federal district court has just issued a decision involving the ubiquitous stolen laptop with employer's records of consumer financial data stored without encryption scenario. In Guin v. Brazos Higher Education Service Corp., the court held that while the company, a student loan lender, admitted it had a tort duty to the plaintiff arising out of the Gramm-Leach-Bliley Act requirements to provide reasonable safeguards for the data in its hands, the court simply stated that "Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act." With that, the court concluded that the defendant had not breached its tort duty.

To the plaintiff's point that it was unreasonable for the defendant's policy to allow such sensitive data to be stored on a laptop kept normally at the owner's personal residence without any encryption, the court responded that "Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement."

That last point was what I found interesting -- Of course the GLB Act does not contain any such requirement (nor do any of the implementing regulations). The government's position has been that it merely describes a need for a process, and then allows that process and the practices of the moment developed over time determine what is reasonable at any particular point in time. It does not seem (at least from the face of the opinion) that the court engaged in much more than reviewing a conclusory statement from the defendant that it had imposed reasonable safeguards -- And left it at that.

Of course, keep in mind that this is a case of creation of a tort duty out of the constructs of a law -- It may be reasonable to say that the tort duty is narrower than the regulatory obligation that may be imposed directly. It may be that the FTC (presuming it is the agency with jurisdiction) would have a lesser burden to show a breach (or could at least demand more than a conclusory statement from the defendant). Still, I am troubled that this decision seems to imply that if it's not expressly written down in the law (or regulations) as a necessary method to safeguard, then it does not exist as a duty. It may be reasonable to argue whether the government's choice to demand process but not set standards was the right one, but it was clearly the choice the government took, and now we might wonder if courts will choose to ignore that philosophy (leaving a void in the law).

(The court went on to say that the plaintiff had failed to show any damages, and that because the computer's owner lived in a 'safe neighborhood' the burglary was not reasonably forseeable -- and stated that both of those were equally fatal to the plaintiff's case standing each on their own. So, maybe we should not look too deeply into the tort duty aspect of the decision.)

Friday, February 03, 2006

Computer Business Records Without Foundation?

A recent decision out of the 9th Circuit (sitting as the U.S. Bankruptcy Appellate Panel) should be of interest to Cyberspace lawyers.

While all of us are familiar with the usual litany of how to get business records admitted under the relevant exception to the hearsay rule, many of us have long wondered if there was too much of a leap of faith in the process where the records were computerized. Well, the naysayers finally have a case to lean on.

In In re Vinhnee, (2005 WL 3609376) the district court had refused to admit evidence proffered by a credit card company regarding the debtor's credit card transactions. The refusal was on the ground of defective evidentiary foundation. The trial court suggested that determining the authenticity of proffered electronic records "necessitated, in addition to the basic foundation for a business record, an additional authentication foundation regarding the computer and software utilized in order to assure the continuing accuracy of the records." Even after the proponent was given a second bite at the apple (by being allowed to file a post-trial declaration to lay sufficient foundation), the court found the witness statements to be overly conclusory and the witnesses themselves to be of unproven qualifications. On that basis, the evidence was not admitted, the proponent lost its case because of the evidence issue, and the appeal ensued.

The appeal affirmed the decision (notably on an abuse of discretion standard, which the court said might allow for a "trial court that is finicky about settled authentication requirements [to be] sustained..."). The court noted some scholarship on point, equating computer evidence to be a form of scientific evidence, and suggested that the problem is more complex than it seems. "The 'built-in safeguards to ensure accuracy and identify errors' ... subsume details regarding computer policy and system control procedures, including control of access to the database, control of access to the program, recording and logging of changes, backup practices, and audit procedures to assure the continuing integrity of the records." In this instance, the best the proponent of the evidence could come up with (even after being allowed to go home and do its homework!) was to list off the brand of computers and software the business used, and restate a conclusory opinion that the system was reliable. The trial court determined that this did not meet its requirements for foundation, and the evidence was tossed.

Astute readers will begin to notice a common element to the above discussion with topics that our members are already frequently touching -- Data Security after GLBA, HIPPA and their ilk, and Internal Controls after SarbOx. We also see these same issues popping up in our discussion of what constitutes "control" of an electronic record in the context of a negotiable instrument under UCC § 9-015. All of these matters begin to turn on the creation, documentation and compliance with business procedures. This continues to point out the problem with relying on canned programs that operate without intelligent oversight -- Be it for credit card records, electronic chattel paper, corporate books or medical records.

Which leads to the question of lawyering. One can only wonder how a written declaration was issued in the above matter which made no attempt to discuss policies and procedures regarding the safeguarding of the data -- But I can suggest that had a well-versed cyberspace lawyer been on the task, the proponent might have had a better chance at crafting a document that would have won the day. Is this yet another reason that our practices should be getting more in the faces of others and pointing out our value?

(The sideline to the case: The trial court turned away the credit card company even though the defendant (debtor) did not even show up or enter any argument, having the company suffer "the ignominy of losing even though its opponent did not show up." The judge himself, Hon. Samuel L. Bufford, raised the issue during a routine hearing, and pointed the company to scholarly materials that dealt with the issues -- And the lawyers still did not comply with his requests. Has any of our membership met Judge Bufford? We should look into how he came to be interested in these topics and where he might be taking these things!)

Internet Jurisdiction and Global e-Commerce Subcommittee

The Internet Jurisdiction and Global e-Commerce Subcommittee met in Wilmington as part of the Winter Working Meeting, last Friday, January 27, in the morning and afternoon. We discussed international conventions that might affect an Asia-Pacific electronic transaction; practical and policy considerations relating to Voice over Internet Protocol (VoIP) that might do likewise; and drafting non-compete clauses in an era of borderless communications.

A report of our discussions is on the Subcommittee homepage is here.

The Subcommitte homepage itself is here.

Comments on any of this material welcome. In particular:

- Contributions to the VoIP program for the Annual Meeting should be addressed to Konrad Trope or Kristie Prinz.
- Ideas for use of the Subcommittee's time in Tampa in April would be welcome. We have an hour as ourselves, and Hal Burman's International Policy working group has an additional hour.

Internet Law Subcommittee WWM activities

During the WWM in Wilmington on January 27 and 28th, the Internet Law Subcommittee primarily worked on the “data breach” notification program scheduled for the Section of Business Law Meeting in Tampa and a new project to address electronic waste disposal concerns.

Data Breach Notification Program

The Tampa program will be presented in conjunction with the Cyber-security and Privacy Subcommittee. The first part of the program, entitled “Model Data Breach Notification Procedure and the Payment Card Industry Security Standards,” will provide practical advice for counsel when the client calls up, reports a data breach and asks what to do next. The second part will focus on the enforcement of new information security requirements against credit card merchants by associations of credit card issuers.

At the WWM, discussions focused on certain issues:

• How does one know if there really has been a data breach (some protected data has actually been “acquired”)
• How does one know the extent of the breach (what protected data has been “acquired”)
• How does one deal with the “race against time” in which there is a competition among the efforts of the forensic experts to learn exactly what happened, the desire to make a complete and accurate public announcement, and the desire to shorten the period during which customers are exposed to theft.
• How to handle the case of a client that is reluctant to report a data breach or want to delay the report, perhaps for an unreasonable period.

In the course of those discussions, we realized that clients with multi-national operations may find themselves weighing strict compliance with US data notification laws with potential criminal and/or civil liability consequences in other countries—probably a good reason for a client’s apparent “reluctance” to comply.

The program will also provide an overview of existing data breach notification laws and pending legislation and will provide information on recent major enforcement cases.

We are very interested in including any data breach notification “war stories” and to address any practical data breach issues which members of the Cyberspace Law Committee have. Please feel free to contact Hank Judy, Tom Laudise and Michael Power or Peter McLaughlin, co-chairs of the Cyber-security and Privacy Subcommittee. (Those offering the best and most well-documented war stories will be treated to the appropriate libations and opportunity to tell the full version of the story in a suitable environment, a/k/a bar, at the next ABA gathering courtesy of Hank Judy and Tom Laudise)

Electronic Waste Disposal

Electronic equipment is laden with harmful material which, if not disposed of correctly, can severely harm the environment. Currently, much of the disposed of electronic waste finds its way to dumps in impoverished areas of the world. Often, the original owner of equipment has no idea that this is the case and believes that it has been “properly disposed of” by the company it hired for that purpose.

Several states have laws requiring the proper and environmentally sound disposal of electronic equipment. Legislation has been proposed in many other states and in Congress. The EU has several directives in place addressing the environmentally sound disposal of electronic equipment, as well as related issues of disposal of packaging, and environmentally sound initial design. During the WWM Tom Laudise and Hank Judy presented Power Points on different aspects of the problem and circulated research materials

Internet Law had originally planned a survey of the law. However, discussion at the WWM revealed that it would be more useful to instead prepare an article which will, first, alert counsel to the issue and potential serious liabilities for improper disposal of electronic waste, and, second, provide a sample agreement/clauses with a third party provider of electronic waste disposal services (as well as assured erasure of hard drives and related memory.) We hope to circulate an initial draft contract in the next several weeks.

We would like to publish such an article this year. Depending upon the response to the article, we will consider an ABA program in 2007. We would very much like assistance and ask that anyone interested please contact Hank Judy or Tom Laudise.

Model Website Development Agreement and Commentary

We will work to finalize a model website development agreement with commentary this spring. This project enjoyed/suffered a brief hiatus but is now back—hopefully in time to be included with the Working Group on Electronic Contracting Practices second release of its the Model Web Site – Cyberspace Law's very successful publication meant for practitioners assisting clients who are setting up eCommerce operations within a corporate environment.

We will circulate the next draft for comments soon. Anyone interested in reviewing that draft and providing insightful feedback, please contact either Hank Judy or Tom Laudise. Tom already has a list of “usual suspects” and, in lieu of volunteering, you may contact him to confirm you are the list.

* * * * *
Finally, if anyone has any additional projects they are interested in seeing the Internet Law Subcommittee take on, please contact either Hank Judy or Tom Laudise.

Wednesday, February 01, 2006

New Efforts on Law of Software Licensing

The American Law Institute (creators of such great works as the Restatement of the Law, and the joint author with the NCCUSL of the Uniform Commercial Code) is now in the process of creating a proposed uniform set of principles that deal specifically with software transactions. Recall that the ALI split from the NCCUSL when the predecessor to UCITA, which was to be issued at one point as Article 2B of the UCC, was rejected by ALI, and NCCUSL went off on its own to issue its proposed UCITA -- with results we need not rehash here.
As noted in today's BNA Electronic Commerce & Law Report, the effort here will be much narrower than that of UCITA -- the scope is explicitly excluding potentially controversial issues like digital databases (let alone entertainment products and the like).

Some of the major issues addressed in an early draft include: contract formation, delayed terms, choice of law, embedded software, the treatment of mixed software and service transactions, and unconscionability.

The Reporter is Robert Hillman, a law professor at Cornell Law School, and the Associate Reporter is Maureen O'Rourke, interim dean of Boston University School of Law. The hope is to present a full draft for discussion at the ALI's annual meeting in May 2007 in San Francisco.
Members of the group that are working on the project are noted here -- Astute readers will note many Cyberspace Committee members sprinkled throughout the list.