Tuesday, April 11, 2006
The OAS documents are on the Internet Jurisdiction and Global E-Commerce subcommittee's home page, under Other Links of Interest:
Most of the discussion focused on the UNCITRAL Convention on the use of electronic communications in international contracts. The Subcommittee yesterday approved joining the Science and Technology Section in supporting US signature of the Convention. Hal's meeting went in more detail into the signature process and the different considerations that might have to be taken into account in a decision whether to ratify the convention.
The Executive Director, Bill Henning, and the past president, Fred Miller, of NCCUSL were present, along with several veterans of the UETA process, to discuss whether and how NCCUSL might express its views on the Convetion. Bill indicated that NCCUSL would usually restrict itself to saying that the Convention was compatible with state law, rather than actively supporting the Convention.
Pat Fry and others would study the Convention in early May and report to the Committee and to State on their views.
The meeting discussed how the proposal to support signing might be presented to the Council of the Section, and the timing of this in light of NCCUSL's timetable. It was thought that the Committee should take this forward to COuncil, with help from the International Coordinating Committee, without waiting for the NCCUSL review, if Cyberspace had done its own (which we consider ourselves to have done). Council might send views on to State or it might wait to see what NCCUSL had to say - it was certainly of interest to Council whether NCCUSL had concerns. Hal and Henry Gabriel suggested that the Convention was very much like UETA and should not be problematic.
Several members of the Working Group, along with Candace J, were bound from there to the International Coordinating Committee to make their case, which your blogger can now report they did, and their plea was supported at that Committee - particularly in light of the limit of the proposal to support signature only at this stage.
(Many thanks to Roland who really did a great job of adding to our blogging output this meeting. Let us all encourage him to continue, and to bring along that cool little camera of his as well. Here's a shot taken at the Carlton Fields reception outside the Yacht StarShip.)
Saturday, April 08, 2006
Jonathan Armstrong (leveraging his British accent)
Sometime around 2001 as I was walking from one subsubsubworking group to another, at the Cyberspace Winter Working Group meeting at the DC Capital Hilton, I ran into this woman who was cruising the emptying room picking up the handout at the end of a session. (You know, the I-was-in-one- meeting-but-there-was- this-other-one- I-really-wanted-to-see- so-I-dropped-by-the-room -to-see-if-they-left- any-handouts ABA scavenger hunt. C'mon, don't tell me you don't do it too.) Literally ran into her, and I think I had to pick up the pile of paper we both dropped. I gave her the short version:
(insert Polley inflection here, boots optional) "Cyberspace Committee, ABA, Internet, all kinds of new law, e-commerce good, people good, fun good, publications pretty good."
I got most of the details wrong -- a point of which she still reminds me ("you said it was TWO years as chair! You LIED!") pretty much every ABA meeting -- but we hit it off anyway. Only thing I did right was to reflexively reach out to a newcomer. But hey, she bought it -- and became a wonderful leader, key Cyberspace author, replaced me and outdid me, and herself became the incubator of a bunch of additional really good leaders.
Today is her last day as E-Commerce Committee chair and we should celebrate her successes. Luckily someone booked us into a Cuban bar for dinner tonight... See you in Ybor City.
Mike Rodman of Albert Risk Management Consultants spoke on his observations of businesses and how they interact with the need for cyber-insurance. He noted a number of risks that should be addressed in any useful policy, particularly noting the need to address what things are NOT covered in other policies such as CGL. He suggested that there is still a lack of belief in the need for these kinds of cyber-loss policies -- and that in his opinion businesses do that at a higher degree of risk than they believe.
Bill Denny spoke on traditional contract principles and how we have historically allocated risks in IT deals. He then recalled the traditional insurance policies that we might have been analyzing for our clients -- third-party liability policies including CGL and its cousin E&O to cover many traditional IP claims such as copyright infringement; and first party coverages such as property, automobile and the like. He reminded us of the differences between occurence policies versus claims-made policies. He also reminded us of how some policies provide defense, some do not, some will pay defense costs after the claim is actually paid out, some count defense costs against the policy limits while others do not. Bill also went over how much of the boilerplate provisions we frequently glaze over may be self-defeating of our purported intentions.
Margaret Reetz of Chicago discussed how the newer policies have been working out in practice, based on her practice representing insurers. She discussed concepts of how the cyber-policies provide coverage, and misconceptions that are out there.
Emily Freeman of JLT Risk Solutions of London discussed how so many of us will spend so much time negotiating the best indemnity clause ever written, and never take the time to wonder if the indemnifying party has any insurance to stand behind that indemnity. She reminded us again how 'useless' CGL policies will be to cover indemnified cyber-risks. She also reminded us of how little consistency there is between the various policies that fall into the so-called cyber-policies. Her strongest message was that we should never rely on just calling out the name of a policy (like "CyberInsurance") and assuming that any particular risks are covered. (Emily has a checklist she would be willing to offer that lists the various risks that we should be asking about.) Rather, we need to cite the specific risks that need to be covered. She discussed the methods that potential insureds will need to follow to get coverage, including the due diligence that insurers will do prior to writing coverage. (Getting coverage, and 'passing' due diligence by the underwriter, is itself a flag for customers of the insured parties. Failure to get insurance can be a red flag.) She also noted that those who rely on their vendors to be the sole source of potential assets to cover risks are potentially foolish. The sorts of claims involve actions that tend to harm many parties -- Imagine a privacy breach that causes thousands of consumers who have dozens of different banks, all of whom use a common financial data services provider. If that provider has a $5 million policy, there is not much left for the 2nd claimant after all 4 dozen of them suffer $5 million in damages. Those customer businesses will hope they had through to obtain their own policies.
Touch base with Prof. Don Clifford if you wish to participate -- His Working Group's home page can be found here. This is a really great opportunity for the person who wants to get started with CLC, since the project lends itself well to one who wants to write both short or long pieces. See
Don ran through a number of projects that are in various stages of life, and made sure that potential participants knew that their mission was to get in touch with Bill or Don and get their wishes known.
- An M&A checklist for IT concerns (Bruce Doeg & Bill Denny are leading the charge.) Can we assist the business community to understand the issues in IT that will come up in their deals? How can we get experienced lawyers in line when these deals come up?
- How can the IT purchasing community start to get vendors to take contractual responsibility for the security breaches caused by their products?
- Corporate-sponsored blogs -- Can we produce a product to advise counsel on analyzing the risks of issuing corporate-sponsored content via 'blogs' (or any of the other non-traditional mechanisms that we see now or that will surely be invented soon).
- Corporate rules on how to filter incoming e-mail going to employees -- The USA perspective is essentially that the employer is in total control of this, but EU and other jurisdictions feel differently. How can a company that crosses boundaries have a viable policy?
(photos by Roland Trope)
This is another great opportunity to enjoy the home city of one of our members (just as we did this year with Bill Denny and Don Cohn welcoming us to Wilmington and the wonderful Hotel DuPont). I am looking forward to seeing a town I've yet to spend time in.
Model Data Breach Notification Procedure and Payment Card Industry information Security Standards (CLE session)
Questions from the audience were lively.
Panelists provided an unconventional discussion to company responsibilities to fulfill statutory obligations when data breaches occur.
Tom Laudise noted that the California statute (the "grand daddy" of data breach reporting statutes) overlooks the fact that with web search capabilities, data thieves do not need several kinds of personal data, they need only one important kind such as social security number and can then locate the rest of the data they need in order to make illicit use of the data.
Tom also noted that with so many states now having enacted disparate data breach statutes, it is time for federal legislation to harmonize these obligations. He discussed the pending HR 4127, Data Accountability and Trust Act, and its underlying theme "If you can't protect it, don't collect it." It gives enforcement action authority to the FTC and state attorney generals, which is strongly opposed by financial service companies. He doubts, however, that unless there is a significant data breach for a triggering event that the House will enact any of the competing bills currently pending.
Jonathan Armstrong, from the UK, discussed data breach -- a view from Europe. He noted that there are increasing numbers of data breaches in Europe, and particularly in the use by EU businesses of offshore call centers. He noted that companies seem reluctant to recognize that if you pay employees less, you increase the chances that they will be susceptible to bribes by data thieves. He drew an analogy to a weather map, and noted that there is a strong storm system of threats to data privacy moving west from Eastern Europe. He also provided the graphic example of a person who once told him "you will never understand data privacy until a neighbor of yours has been taken out and shot." Jonathan noted that despite the EU-wide Data Directive, each Member State has implemented its own national version, and that the prosecuting official for a data breach will, therefore, not come from EU headquarters in Belgium, but from the local Member State. In Europe he added that there is "loads of law, but little enforcement", whereas in the US "you have little privacy law, but vigorous enforcement." Mandatory reporting requirements are proliferating, with Norway being the first, where the mandatory report must be to the Norwegian data commission, which then will decide if the company must report to end-users or affected customers. Data reporting laws also have emerged in Hungary, Malta, Sweden and Germany. In most countries, persons have the right to make a "subject access request" -- if they believe they are in a class affected by a data breach, they can submit such a request, and the company must respond within a brief period. In Europe, it is common that prior to handling personal data, a company must register with the Member State's data protection commission.
Robert Rothman emphasized the need during initial diagnosis of a data breach to create a centralized "Fact Sheet" to ensure that one version, not many, becomes the view of the company internally and in contacts with the media. He pointed out that when a company reports a data breach it should give very careful consideration to omitting from such notice any disclosure of information that would alert the data thieves to the significance or value of the platform or stored data that they took.
Michael Power approached the problem as an evidence collection exercise in which the overseeing counsel need to make sure that they can trust everyone involved. He noted this must start with the engagement of a forensic expert. When a company suspects a known person or target who may have stolen the data, he recommends seeking court orders to compel production of their storage devices in order to "ghost" them and review contents to determine if they contain stolen data. He drew the analogy to coming home at night, finding the door had been forced open, and then you have the difficult task of determining what happened -- did the intruders merely walk around, did they party (unlikely), did they go upstairs and take valuables from drawers, etc. Finding out what the data intruders actually did is an important task that needs to be investigated and should not be assumed away. He noted unique issues that arise under Canadian federal and provincial privacy laws. In one instance, he discussed how the team leader (and there MUST be one after a breach) needs to be prepared to deal with the media. He echoed the theme of earlier panelists "Get the Lawyer in Early" if there is a security breach.
Joan Warrington elaborated on that theme emphasizing the risks of class actions and attorneys general investigations. She devoted considerable attention to the Payment Card standards and how clients will increasingly need to grapple with these standards. They emerged, in part, from Visa, which have been approved and adopted by all of the big payment card sponsors -- Amex, MasterCard, etc. They are applicable to all entities that store, process or transmit card holder data. If you go to the websites of these card issuers there are inches thick materials (when printed in hard copy) on compliance with those standards. Several banks, for example, have sued BJ's claiming that they are third party beneficiaries of those standards and seek to recoup funds lost through thefts that originated in data stolen as a result of BJ's alleged failure to comply with those standards.
Hank Judy encouraged counsel to download from the Better Business Bureau and from MISMO websites the primers available on how to handle data breaches (the former is best suited to small businesses, the latter provides a more sophisticated and technologically advanced guide). He highlighted certain issues that can be easily overlooked. Unlike usual thefts where missing items mean something has been stolen, with data "the absence of evidence is not evidence of absence" because hackers are often skillful at compromising data without leaving a trace of their intrusion and leaving the data seemingly intact. There needs to be a person with "unambiguous decision-making authority." Although perhaps counterintuitive to companies fearful of the consequences of a public disclosure, he encouraged the use of a website to provide notice (gets the word out to a wide community, and keeps control of the version released by the company -- and allows a company to combine a good account of the incident, with links to service providers that can help consumers protect themselves from the consequences of the breach, and that allows a company to continuously update its account and such aids as needed). Hank recommended as an example that counsel view a few websites, including this one put out by Georgetown University after an incident.
Questions from the audience, including Michael Khoury's inquiry about how to respond when you advise your client on the best practice responses to the data breach and brings you up short with one or another version of the question, "But isn't that going to cost us a shitload?"
Andy Serwin made a presentation (using powerpoint in an unexpected way, with non-volatile storage/display tools -- paper) trying to read the tea-leaves about the FTC's emerging security policies. While recent enforcement actions are reported as "privacy-protection" activities, a closer look suggests: (a) the FTC is more focused on lacking underlying security, at (b) companies that are holding financial-related information. Relying on Gramm-Leach-Bliley, FTC has seized on the lack of a written contingency plan (for managing security incidents). (While many companies have at least decent security processes, many of these aren't formally enough institutionalized in a fashion that facilitates knowledge continuity -- hence, the need for a written plan.) FTC actions also illustrate the need for formalized, risk-assessment and risk-management processes, being systematically applied to the area of information security. (An ecopy of Andy's presentation resides here.)
The number of people in the room, the kinds of questions raised, and the level of passion exhibited during this meeting all suggest that the "perfect storm" of security/privacy is closer than a distant speck on the horizon. The lawyers who prepare earliest may actually benefit from the coming storm, by being able to out-sail their less-well-prepared colleagues. As with Health-Safety-Environment, companies also may find an emerging competitive advantage flowing from their earlier planning. (Argue this, when justifying your participation in our work.)
- The first was Internet governance: has the Cyberspace Committee something to say on that topic, would the ABA agree, and would anyone else in the world care?
- The second was a project on state (and probably federal) courts' response to choice of law provisions in internet transactions.
- The third was whether Cyberspace, and/or the Section, should support the submission by the Section of Science and Technology to the Department of State that the US should sign the UNCITRAL Convention on the use of Electronic Communications in International Contracts.
On the first topic: considerable scepticism on all three points. The subject was considered inchoate at the international level, with "high barriers to entry" because of the complexity, density and high political content of the material (not to mention the travel budgets required to participate in meetings). If anything were to be done, it should be on narrow focused and ideally relatively technical topics, rather than big policy issues like "should policy be set bottom-up, as with ICANN and its user constituencies, or top-down by governments?"
The meeting discussed whether to try to formulate a solution to the WHOIS issues presented by Kristine Dorrain at the Hot Topics session on Friday morning. For reasons to be outlined in more detail in the report of the meeting on the Subcommittee's home page (in due course), there was some reluctance to undertake this. The topic was left with an invitation from the chair to propose topics, ideally narrow and manageable.
The second topic, on choice of law, was inspired by a recent California case and by revised Article 1 of the UCC, which has been adopted in California - but nearly nowhere else, so far, at least on this subject. There was some discussion about how closely linked the questions were to the UCC. At the end, the project was thought to be worth pursuing, so the chair would pursue volunteers, offline and on. It was thought that someone with students with term papers might be a good candidate. It might be useful to reach out to other subcommittees.
The third topic, the UNCITRAL Convention, led to discussions about the nature of the decision to sign conventions under the current US administration, the differences between signature and ratification, the role of NCCUSL and implementing legislation generally, and the process for joining the SciTech submission if we wanted to. Detailed discussion was left for the meeting of the Working Group on International Policy, but the meeting favoured, nemo dissentiente, moving towards support of SciTech and US signature of the Convention.
1. Ben Beard succeeds Elaine Ziff as co-chair (with Chris Kunz) of the Electronic Contracting wubcommittee. Ben will have a challenge filling Elaine's shoes (in so many ways).
2. In Electronic Financial Services, Bob Ledig is rotating off as chair (but rotating into a new role as chair of the Joint Privacy Task Force, whose other parent committees are Banking and Consumer Financial Services). Bob will be succeeded by co-chairs Judy Rinearson (of Bryan Cave) and John Morgan (of Amazon, and who's return the the Cyberspace committee comes after a brief, six-year hiatus).
3. In the Electronic Payments Working Group, Steve Middlebrook (of the Treasury) will be joining as co-chair to help Sarah Janes Hughes (of Indiana Law School).
4. In CAIT (which the poster initially created out of whole cloth in 1997), Bill Denny (of Potter Anderson) will be joining as co-chair to help Don Cohn (of Dupont).
5. Lisa Lifschitz (of the Gowlings incursion, officed in Toronto) will succeed (but never replace) Jackie Scheib as chair of the Membership subcommittee.
6. UPDATE: Kristine Dorrain, from the National Arbitration Foundation in Minneapolis, will be Co-Chair of the Intellectual Property Subcommittee, taking over Eric Goldman's seat at the end of his term.
(I may have missed a couple -- I'm simply acting as a reporter here -- changes and corrections surely will appear as time goes by.)
Friday, April 07, 2006
One highlight of the MTPA meeting was the return of long-time member Jamie Clark, who has been away from our last few meetings. All of us in CLC are happy to have Jamie back.
The meeting began at 8 AM, with the core people as well as the ABA publications group represented. Discussion focused on the continuing need to move the project forward and some of the difficulties that have kept this from coming to full fruition. We confirmed that the publications group would still like to see this move forward, particularly given that there continues to be demand for the original product from the early 1990s that focused solely on EDI.
Debates focused on concerns of whether the project should focus on the seller/buyer relationship (as in the original product), should focus instead on the 'network' relationship between the seller, the buyer and the provider of the communications mechanisms (somewhat akin to the relationship between licensor, licensee and a software escrow company), or some variation thereof.
Prof. Ben Beard left with a clear sense that the project will move forward. Please get in touch with Ben if you are interested in participating.
The IRS has proposed a rule that allows tax preparers to sell the information you give them provided the consumer consents. This has created an uproad during the past two weeks. Why should the tax preparers be allowed to use under any circumstances such information gather in that activity? Just because a firm prepares your taxes should not mean that by getting some kind of consent it should be allowed to sell your personal data to a Kleenex maker who wants to sell tissues to you. But consumers who put such freeze on their accounts often find they lack the key needed to lift the freeze within 15 minutes as needed to obtain, for example, of a car loan. Few consumers have taken advantage of this tool. There is federal legislation pending on this at this time.
Personal information, of course, covers a spectrum of increasingly sensitive information. The panel took the view that when you are developing safeguards for information you need to determine at the outset the sensitivity of the information. Social security numbers are among the most sensitive information collected by firms on US persons.
As a result, security and privacy cannot be cut in half or segregated, and their linkage is the underlying assumption of the Fair Credit Reporting Act. And yet, federal law protects personal information linked to a credit card than personal information linked to a debit card.
Another aspect of the kind of information issue is that a small amount of personal data gathered on many people can result in substantial harm to a large number of them, particularly when credit cards numbers are stolen and misused. One man in the last year took in $37 million by such identity theft -- and this occurred through a series of comparatively small charges $20 - $40 per transaction, repeated numerous times, that led to a small-fraud activity and large-fraud theft of funds by use of stolen identities. Such activity tends to escape the neural networks that the credit card companies created in order to detect abberant activity in card usage that would alert them to a misuse of the credit card.
Theft of debit card numbers is a growing problem that the banks do not like to disclose or discuss. Consumers who are victim of such activity often do not know that their funds are being stolen until the theives have vacumed out all of their funds.
One panelist argued that the best solution to Identity Theft is the tool known as a "security freeze," namely a freeze on a consumer's account for the creation of any new credit unless the consumer issues a temporary unfreeze order (requiring a string of security procedures).
(Unfortunately, the written materials which detail many of the state data breach reporting laws seem to have little, if any, relevance to this panel's discussion.)
Vince Polley reminded me that our CIPerati newsletter had recently had a discussion of Google Library Project -- James Nguyen's discussion is a good accompaniment to Prof. Sharon Sandeen's presentation on the same topic at the CLC Hot Topics. Check it out!
Thursday, April 06, 2006
Following is a description of progress the CSCI sub-committee has made since WWM '06 and our future work plan.
At the WWM in Wilmington, the CSCI sub-committee was joined by Mike Jerbic of the Security Forum of Open Group to explore possibilities for collaboration between CSCI and the Security Forum on a white paper on network security. Since the WWM, we have been working on a draft outline of the paper, which has gone through 3 iterations. We have also had a number of conference calls with the Security Forum on the subject, with our next one scheduled for April 6.
Although the co-chairs are unable to attend the Spring Meeting in Tampa, the subcommittee has scheduled an all day working session on April 28 in Washington, DC that is contemporaneous with a meeting of the Open Group also scheduled in Washington earlier that week. We intend to progress the draft outline to a pre-beta draft of the white paper. We intend to discuss a more advanced draft of the white paper with the subcommittee in Honolulu. We will also be planning a program either for the Spring or annual meeting in '07.
Any subcommittee members who wish to have a copy of the draft outline, or who would like more information regarding the April 28 meeting in DC, should get in touch with Richard or David. The draft outline was prepared by Mike Jerbic, in consultation with Richard and David.
The Committee's first Program of the 2006 Spring Meeting discussed Another Technology Wrinkle in M&A. Of course, the cyberspace law angle is the ongoing struggles that business lawyers have with analyzing free and open source software issues -- particularly when looking at a target company which may or may not have software that may or may not be at risk of 'infecting' or being put in a non-proprietary mode of ownership.
Of course, a great deal of the problem is just teaching folks how to recognize the problem and the legal risks -- our illustrious panelists took the experienced and the inexperienced down that road. For the rest of the story, be sure to connect to the materials posted by the Section for its members (as well as Vince Polley's observations posted here).
The Free Software Foundation has useful resources: e.g., pointers to the various flavors of open-source licenses, together with their (current) language and commentary. Karen Covenhaver's program materials provide a good first-checklist for preparing (and executing) necessary open-source due-diligence activities. (Business Law Section members can find copies of all Spring Meeting programs at http://www.abanet.org/buslaw/home.shtml -- click on the "Tampa" icon under "Program Library" (top-left), and then click to page number "4").
Elaine Ziff opened the meeting by thanking the Subcommittee for allowing her to be the Chair, as her term is soon to come to an end. Prof. Ben Beard will be taking over Elaine's chair this August.
Elaine took a few minutes to go over recent cases of interest, particularly focusing on the recent advertising keyword cases -- Pointing out that we seem to have a split between various courts that feel a keyword either is or is not a 'use' under trademark law. This promises to remain a hot topic.
Prof. Chris Kunz then opened up the new roundtabling method -- rather than picking a single topic to brownbag, she invited a handful of members to 'prime' discussions by raising some (sometimes provacative) points in the hope that other members in attendance would pick up on a point and run with it. Hank Judy spoke of his growing sense that the Cyberspace world was better explained through a property law analysis than the long-standing presumption that there is such a thing as a 'virtual' world. A cynical fellow sitting next to Hank opined to the opposite. Roland Trope, Candace Jones and Steve Middlebrook also joined in with their different topics. With that -- the discussion was off, and it was clear that this room could have kept going for yet another hour. Too bad -- We had to vacate at 2 PM.
Chris suggested that we had not seen the last of that format for roundtabling -- Look for it again in Hawaii!
The beautiful Marriott Westside in Tampa is hosting the meetings for our Committee. For those of you who aren't here, I won't tell you anything about the nice weather, such as found in the above picture (taken just moments ago).
Many of us have already begun our networking, greeting and talking -- The best part of any CLC gathering. The first official meetings begin at 1 PM EDT -- I will try to update you from time to time.
Saturday, April 01, 2006
(Only Business Section members will be able to download the materials.)