Wednesday, March 29, 2006

Yet Another Electronic-Evidence-Being-Tossed-on-Hearsay-Grounds Case

Recall our earlier discussion of a California bankruptcy case, where the judge refused to admit records that had been stored electronically on the ground that the records were hearsay (which they obviously were) but did not qualify for the business records exemption (which surprised the proponent to no end apparently). In that case, the judge felt that the person put on to authenticate the records, purporting to act as the custodian of the records under the evidence rules, did not adequately lay a foundation for the exemption because he could not describe the software and how it worked well enough for the judge to believe that the system was trustworthy and deserving of the exemption.

The USDC for the Southern District of Illinois has just tossed out yet another proffer of electronic evidence. In this case, it involves a case where the plaintiff was suing on libel grounds arising out of a posting that had been published on a web site. The 'webmaster' of the site offered up the IP address that identified the poster of the offending comment, which was apparently the only serious way to complete the chain between the anonymous comment and the defendant. The evidence was proffered with an affidavit of the webmaster, who was not available at trial. The defendant objected to the evidence on hearsay grounds, and suggested that the webmaster's foundation was inadequate to admit the evidence under the business records exemption.

The advent of the computer age has created evidentiary issues and admissibility concerns.

With that opening, the court went on to excoriate the plaintiff's efforts, suggesting that it should have done simple acts by preserving the webmaster's testimony during the discovery phase. The court noted that such evidence would need to cover "specificity as to the manner in which the information was retrieved, the software used, or the method of preparation[. Plaintiff's failure to do so] makes the information provided in [webmaster's] affidavit less than trustworthy, and therefore, inadmissible [under the business records exemption]." (emphasis added) Having severed the only way to connect the dots to the defendant, the judge went on to dismiss the plaintiff's case with prejudice.

The case is Wendler & Ezra, P.C. v. American International Group Data Center, Inc. et al (USDC S.D. Ill. No. 04-CV-641-WDS, March 15, 2006). (Ed.: So far, I can only find for-pay links to a copy of the opinion -- If anybody can find a no-charge link please let me know.)

An anomaly or the coming trend? Well, to paraphrase (and sanitize) Arlo Guthrie -- One person doing it is probably crazy, two people doing it are probably crazier, but three persons doing it -- They're likely to think it's an organization. We have at least two judges on record in only the last few months -- And I doubt that they will fall into the even crazier camp over the course of time.

The biggest message I think out of this is NOT that electronic records are somehow suspect or suddenly a huge barrier to litigants. On the contrary, the judges in both of these cases have acknowledged that these records would probably have been admitted had the proper foundation been laid. In both instances, the attempt to use a custodian of records who was overly succinct and/or vague was viewed as inadequate to lay the foundation of trustworthiness that business records should be afforded. Does that mean that the webmaster in the new case ran a bad shop? No. Does that mean that the credit card company kept poor business records of its customer accounts? No. It mostly means that attorneys who want to take these records and get them into evidence need to take the time to understand how things work. It's the lawyer's job to convince the judge that proffered evidence is something we should trust not because it's been output by wizards who work in the basement, but because the judge can see through an easy to understand and transparent explanation of the system in order to trust it. An attorney who takes the time to understand the technology, to interview the person (or persons) who will take on the custodian role, and who makes a compelling presentation on how the system is trustworthy and that the records accurately reflect the proffered evidence will be much less likely to hit the roadblocks found in these two cases. The attorney who continues to ignore this knowledge and apply it does so at the attorney's peril.

Thursday, March 23, 2006

80,000 HP Staff Exposed as Laptop Loss Party Continues

"This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation," HP employees learned via email today.

I am almost wondering if we need to declare a moratorium on lost laptop identity theft stories. The days aren't long enough...

Comments?

read more | digg story

Tuesday, March 21, 2006

GPL Wins to Fight Another Day

The folks at Groklaw alerted us that the antitrust lawsuit that had been brought against the Free Software Foundation claiming that it's GNU General Public License was an instrument of anti-competitive tendencies was dismissed recently. The judge even barred the plaintiff from filing again after he had four chances to file a Complaint. The order can be found here.

I think Groklaw goes a bit too far to suggest that this is some vindication of the validity or enforceability of the GPL -- After all, the judge did not stray from discussing how the lawsuit failed to describe a palpable Sherman Act claim, and never really did get into the document itself. That said, it's some recognition that the agreement exists, which I am sure will mean something to somebody.

In any event, it's also a good time to remind you, gentle readers, that the Committee is putting on a presentation at the Tampa meeting regarding free and open source software, particularly focusing on the corporate law aspects of how to do deals where one or more of the participants has open source in the house. Check out our info down here...

Wednesday, March 15, 2006

"WE HAVE MET THE ENEMY AND HE IS US."

Pogo's oft-quoted wisdom is probably no truer than when we look at how most of us treat our own data security needs.

The Eversheds firm in London, home to our member Jonathan Armstrong, sends along a short story about an experiment performed in London. Most of us have heard the term 'social engineering' to describe the practice of obtaining confidential information by social manipulation of legitimate users. Often, we have the image of some nefarious hacker, wearing a stolen uniform from the phone company, sweet talking the front-desk receptionist into handing over her password for a purported small fix to the system. But, maybe that hacker went to too much trouble? I will let Evershed's explain:
Alarmingly, an experiment carried out last month in London revealed that Security Policies are very easily undermined. IT skills specialist, the Training Camp handed out CDs to commuters explaining that they contained a special promotion. However, the CDs merely contained a programme which informed the Training Camp how many participants had tried to install the CD.

Despite the CD's packaging which advised participants to follow their company's acceptable use policy and which warned of the risks inherent in downloading unknown and unapproved third party software participants proceeded to open and install the CD and ultimately put the security of their company data at risk.

The CDs contained nothing harmful. However, the potential for damage to be caused by such a blatant breach of data security was immense particularly given that participants included both insurance and bank employees.

Thanks again to Eversheds LLP for the heads up.

Tampa Approacheth

Candace Jones, Chair of the Committee, reminds us all that the Tampa Spring Meeting of the Business Section is nearly upon us. The Committee's summary of Tampa activities is posted here.

A few highlights:

If you have not yet downloaded the full schedule (for the entire Section), you can get it here.

The Cyberspace Committee is sponsoring, co-sponsoring, or has members actively participating in a number of programs.

Issues Facing Physician Joint Ventures
Thursday, 10:30 a.m. – 12:30 p.m.
Presented by Health and Biotechnology Committee
Peter McLaughlin, co-chair of the Privacy, Security and Data Management Subcommittee, will speak regarding information technology in health care organizations.

A New Technology Wrinkle in M&A Practice: Open Source and Free Software
Thursday, 2:30-4:30 p.m.
Presented by the Cyberspace Intellectual Property Subcommittee
Co-sponsored by the Intellectual Property Committee
What is open source software? Why should business lawyers care? Open source and free software adds new wrinkles to acquisitions. The panelists will explain open source and free software and offer some practical guidance for evaluating issues associated with its use. The presentation will include tips for due diligence, questions to help better analyze the risks presented by open source and free software and technology to assist in due diligence and analysis of open source issues.

Committee Forum: Hot Topics in Cyberspace Law
Friday, 9:30-11:00 a.m.
Presented in conjunction with the Cyberspace Committee meeting
Cyberspace experts will discuss recent developments in the law related to the Internet and ecommerce. The hot topics for Spring 2006 include disputes about malware masquerading as digital rights management software, on-line libraries, the continuing effect of certain federal privacy regulations on lawyers, and confidentiality of domain name registrant information.
*Note: The Committee Forum will begin during the time scheduled for the Committee meeting.

The Frederick Fisher Memorial Program – Consumer Privacy and Information Security: Does the Risk of Security Breaches Justify the Burden of Additional Safeguards?
Friday, 2:30-4:30 p.m.
Presented by the Consumer Financial Services Committee
Co-sponsored by the Committees on Banking Law and Cyberspace and the Conference on Consumer Finance Law
The program will feature a lively debate by panelists representing opposing perspectives on such issues as who owns and has the right to control consumer data, when and how should consumers be notified about security breaches and whether this area of law is ripe for federal legislation and pre-emption.

Model Data Breach Notification Procedure and Payment Card Industry Information Security Standards
Saturday, 10:30 a.m. – 12:30 p.m.
Presented by the Technology Committee
Co-sponsored by Cyberspace and the Consumer Financial Services Committee
Client calls with bad breach of personal data held by the client. Includes credit card data. Wants to know immediately and specifically: What to do generally? What’s my notification obligation? What should I have done to protect the data? An expert panel covers a model procedure and the PCI Information Security Standards.

21st Century Risks and Age-Old Insurance Clauses: Negotiating Insurance Provisions in IT Contracts
Saturday, 2:00 – 4:00 p.m.
Presented by the Subcommittee on Corporate Aspects of Information Technology
There is a clear need for companies to better understand and manage their exposures to cyber risk. This program focuses on what new risks are likely to arise, how traditional insurance falls short, what new insurance products are covering the gaps, and how to draft insurance provisions in cyber contracts.

Finally -- Remember that dinner reservations are due on March 17! Dinner will be Saturday evening, April 8, at The Columbia Restaurant, a well reviewed place in the Ybor City area of Tampa (a streetcar ride away from the meeting site). The Columbia Restaurant is located at 2117 E 7th Ave., and dinner begins at 7:00 p.m. Seating is limited. Reservations are to be made through the ABA’s meeting registration site.

Wednesday, March 08, 2006

The Petard That Keeps on Hoisting

The U.S. Copyright Office is charged under the Digital Millenium Copyright Act with reviewing the world of technological measures used to protect copyrighted works and determine if any exemptions should be granted to the DMCA's normal prohibitions on the use of methods designed to circumvent said measures. The LOC has been going through that exercise again, recently wrapping up its public comment period to respond to last October's Notice of Inquiry.

One of the interesting 'suggestions' posed by the public (all of which are posted here -- the public was also allowed to respond to the first round and those responses are posted here) was a theme probably best summarized by Prof. Ed Felten of Princeton University. He argues in favor of an exemption for sound recordings and audiovisual works distributed in compact disc format and protected by technological measures that impede access to lawfully purchased works by creating or exploiting security vulnerabilities that compromise the security of personal computers. More or less, this is a response to the Sony rootkit episode, arguing that if we are circumventing for the purpose of protecting our own computer security it should be OK.

Not surprisingly that comment generated a number of replies, both favorable and negative. (Look here for replies that address comment number 6.)

This will continue to keep Cyberlawyers busy as we try to keep up with this debate. Note that those in Palo Alto or D.C. will be able to attend the LOC's public hearings on the issue -- Check out their invitation here.