Friday, October 31, 2014

Spotlight on ABA Academy’s Cybersecurity Core Curriculum


by Nina Hart

This year marks the inaugural season of the ABA Academy’s Cybersecurity Core Curriculum.  The Curriculum is a series of programs addressing the cybersecurity risks facing lawyers, best practices for prevention and incident response, and lawyers’ legal and ethical obligations to clients regarding data security.

The next event in this series, “Moving Target: Cybersecurity Legal Requirements and Liabilities,” will be held on November 19, 2014.  More details on how to register for this and other upcoming events may be found here.

Facing the Need to Improve Cybersecurity Awareness & Practices

Lawyers are uniquely vulnerable to cyber attacks.  Jill Rhodes and Vincent Polley, who were instrumental in the creation of the Core Curriculum, assert that despite this vulnerability most firms and organizations are unprepared to address the risk.  Rhodes states, “We believe that lawyers are at risk because they hold such sensitive client data.”  Being prepared is part of being a responsible attorney; attorneys are required to protect client data from any sort of disclosure.  “The question,” Rhodes says, “is how to do that?  Many lawyers use technology, but tend to be wary with respect to security matters—it can be overwhelming.  How do you educate the legal population about the importance of protecting client data in a way that is understandable to that population?”

Creating the Tools to Help Lawyers Understand & Address Cybersecurity Threats

Echoing Rhodes’ sentiments, Polley notes that there was an “obvious need” for resources that lawyers could access in order to improve their understanding of and ability to address the threat of cyber attacks. The issue was determining what those resources would be.  “It was with the creation of the Cybersecurity Legal Task Force that the stars were properly aligned,” Polley says.  “All the cognizant ABA Sections, coming together, and leveraging their experience and expertise” led to the creation of the ABA Cybersecurity Handbook, a guidebook for lawyers on how to address the threat of cyber attacks on law practices.  Since its release, the Handbook has been a bestseller.  Rhodes states, “What is so great about the book is that it draws on the expertise of attorneys from different types of firms and practices.  These experts did the writing, and the Curriculum tracks the topics in the book.”  The authors of the book, and editors Rhodes and Polley, are also instructors for the Core Curriculum.

Facing the Challenge of Preventing Cybersecurity Attacks

When lawyers consider how to prevent and address cyber attacks, there are many issues to keep in mind.  First, Polley warns, “perfect security is unachievable.  Firms need to take a searching inward look at their own capabilities (and risks), and expand their dialogue with clients to address cybersecurity issues (and re-address them as circumstances change) to develop an informed, shared understanding of the risks.”  Rhodes adds that an effective dialogue also requires that “lawyers and managing partners work well with their IT and security offices.  Security shouldn’t be left for ‘others’ to worry about.  It is everyone’s responsibility to manage data.” 

Rhodes also highlights a critical concern that is rarely discussed.  “We need to discuss what happens if a law firm or organization has a disclosure.  Often, we can manage the disclosure itself; that’s a question of paying for the damage.  The hardest piece to address occurs as soon as a disclosure hits the press: how should the firm or organization address reputational risks?  One of the reasons to focus on this is 1) cyber attacks are a significant risk, and 2) if a firm has not put in preventative measures how can it protect its reputation?”

Meet the Editors

Jill Rhodes is currently Vice President and Chief Information Security Officer for Trustmark Companies, and is experienced in providing education and training to lawyers.  Prior to joining Trustmark Companies, she spent twenty years working on national security and data security issues for a variety of government agencies including the Office of the Director of National Intelligence, Central Intelligence Agency, and Department of Homeland Security.

Vincent Polley has been involved in cybersecurity for over twenty years.  In the mid-1990s, he was responsible for IT policy/law at a multinational energy company, and worked with the company to respond to cyber attacks on client data that were orchestrated by various nation states.  Since 1997, he has been blogging on cybersecurity matters through www.knowconnect.com/MIRLN.

Friday, October 24, 2014

US Courts Seek Public Comment on Proposed Amendments to Court Rules


by Shannon Allen

The United States Courts (“USC”) announces public hearings of the Judicial Conference Advisory Committee and seeks comment on proposed amendments to the Rules of Appellate, Bankruptcy, Civil, and Criminal Procedure.  The USC requested that these proposals be circulated to the bench, bar, and the public for comment.  The Advisory Committees on Rules of Appellate, Bankruptcy, Civil, and Criminal Procedure have proposed  amendments to multiple rules and forms, including, but not limited to: Criminal Rules 4, 41, and 45. (See list of proposed amendments at: http://www.uscourts.gov/rulesandpolicies/rules/proposed-amendments.aspx.)

In particular, with regard to Criminal Rule 41, the proposed amendment “provides that in two specific circumstances a magistrate judge . . . has authority to issue a warrant” to utilize “remote access to search electronic storage media” and to “seize . . . electronically stored information even when that media . . . is . . . located outside of the district.” The first circumstance is where a “warrant sufficiently describes” the computer law enforcement wishes to search, but the computer is located in an unknown district; making it impossible to identify a physical location or judicial district for the computer.  (e.g. child pornography may be shared through proxy services created to conceal their true IP address.)  The second circumstance is where complex criminal activities utilize many computers in multiple districts at the same time. (e.g. a collection of compromised computers can operate as botnets to disseminate malware, invade privacy of users, and steal personal information.)  The Advisory Committee views Rule 41 in its current state as potentially hampering the investigation of serious federal crimes and proposes narrowly tailored amendments to address these two increasingly common venue circumstances. 

The proposed amendment changes the “territorial limitation that is presently imposed” by Rule 41(b) and states that a magistrate judge “with authority in any district where activities related to a crime may have occurred” may issue a warrant that meets the criteria in the proposed new paragraph.  The Committee proposes relaxing the venue requirements “when the district where the media or information is located has been concealed through technological means,” so long as investigators can satisfy the Fourth Amendment’s warrant requirements.  In addition, for restricted types of investigations, the proposed amendments would “eliminate the burden of attempting to secure multiple warrants in numerous districts.”  Finally, the proposed amendments change the notice requirements only requiring that when the “search is by remote access, reasonable efforts be made to provide notice to the person whose information was seized or whose property was searched.”

The USC seeks comment on these proposed amendments to the Rules of Appellate, Bankruptcy, Civil, and Criminal Procedure.  Public hearings are scheduled to be held on the amendments to:

  • Appellate Rules and Forms in Phoenix, Arizona, on January 9, 2015, and in Washington, DC, on February 12, 2015; 
  • Bankruptcy Rules and Official Forms in Washington, DC, on January 23, 2015, and in Pasadena, California, on February 6, 2015; 
  • Civil Rules in Washington, DC, on October 31, 2014, and in Phoenix, Arizona, on January 9, 2015; and 
  • Criminal Rules in Washington, DC, on November 5, 2014, and in Nashville, Tennessee, on January 30, 2015.

Those wishing to testify should contact the Secretary at the address below in writing at least 30 days before the hearing.  

Jonathan C. Rose, Secretary
Committee on Rules of Practice and Procedure
Judicial Conference of the United States
Thurgood Marshall Federal Judiciary Building
One Columbus Circle NE., Suite 7-240
Washington, DC 20544
Telephone (202) 502-1820.

All written comments and suggestions with respect to the proposed amendments may be submitted on or after the opening of the period for public comment on August 15, 2014, but no later than February 17, 2015. Written comments must be submitted electronically, following the instructions provided at: http://www.uscourts.gov/rulesandpolicies/rules/proposed-amendments.aspx. In accordance with established procedures, all comments submitted are available for public inspection.

Friday, October 17, 2014

Social Media: Changing the Landscape of Rulemaking


by Lynn White

Just as we have seen in politics and other forms of policymaking, rulemakers and regulated communities are taking to social media to engage stakeholders and influence public policy.  This is a tricky strategy since rulemaking does not lend itself to boiling down policies into 140 characters or less.  Most proposed and final rules are well over 200 pages and written in (oftentimes unnecessarily) complex language by administrative lawyers. 

An excellent recent example of this phenomenon comes from the U.S. Environmental Protection Agency’s (EPA) proposal to revise the scope of waters protected under the Clean Water Act (CWA).  According to the EPA, the proposed rule “would enhance protection for the nation’s public health and aquatic resources, and increase CWA program predictability and consistency by increasing clarity as to the scope of ‘waters of the United States’ protected under the Act.”  The proposal was over 110,000 words or 300-plus pages of normal text. 

The American Farm Bureau Federation (AFBF) immediately pushed back on the rule because of the potentially devastating impact on farmers.  Ellen Steen, the AFBF’s General Counsel, stated that the proposal would make many farm activities subject to CWA permit requirements and there is no guarantee that EPA will issue the permits necessary to keep farms operational.  The process of getting a permit is also costly and requires lawyers.  AFBF quickly established a coordinated social media campaign called “Ditch the Rule” that gives stakeholders quick access to digestible information on the 100 page rule and directions on how to file comments. 

The AFBF’s efforts yielded great results.  There have been thousands of comments filed on the rule.  The EPA was forced to extend the comment period twice because of the strong public opposition.  The extended comment period allowed many farmers who were in the rush of planting season when the proposal was released to comment on the rule. 

The EPA engaged in its own social media outreach.  The proposed rule has a cutting edge webpage entitled “Ditch the Myths,” (a not-too subtle parody of AFBF’s site) which you generally don’t see on dry government websites.  William Rodger, the Director of Policy Communications at the AFBF, stated “we’ve never seen an agency produce its own mini site to counter opposing viewpoints.”

In September, the EPA coordinated a “Thunderclap,” or a single message to be mass-shared at a scheduled time, on the CWA rule entitled “I Choose Clean Water.”  The messaging on the rule simply stated that the agency, along with the U.S. Army Corps of Engineers, “has proposed to strengthen protection for the clean water that is vital to all Americans.”  The message purportedly reached over 1,800,000 people.  Ditch the Rule launched a corresponding social media campaign encouraging supporters to give its own message, “I support clean water, but @EPA’s water rule is a problem for everyone. #ReadtheFinePrint here: http://bit.ly/1mlKUDA #DitchtheRule.”

We expect to see more rulemaking battles like this as the Administration continues to use some of the social media tools and strategies that made its political campaigns so successful in agency rulemaking.  With hundreds of thousands of comments for the EPA to process, it will be interesting to see how the agency weighs public feedback. 

Friday, October 3, 2014

FTC Seeks Comment on Proposed Children's Online Privacy Protection Rule



by Elisabeth Ulmer

The Federal Trade Commission seeks comment on the parental consent method that AgeCheq Inc. (“AgeCheq”) has suggested in accordance with the FTC’s Children's Online Privacy Protection Rule.

Congress enacted the Children's Online Privacy Protection Act (“COPPA”), which became effective in 2000.  It applies to any person or entity that collects personal information (defined as “individually identifiable information”) from children under the age of 13, online.  COPPA covers “what a Web site operator must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities an operator has to protect children's privacy and safety online.”

Pursuant to COPPA, the FTC issued the Children's Online Privacy Protection Rule (“Rule”) in 1999 and amended it in 2012.  Under this Rule, certain website operators must provide privacy policies and obtain verifiable parental consent before they collect, use, or disclose personal information from children under 13.  Interested parties may offer for the FTC’s review any parental consent method not listed in the Rule, and the FTC now seeks comment on the parental consent method that AgeCheq has proposed.

AgeCheq’s single identity verification process calls for parents to register themselves and their children's device(s) with a third party common consent administrator (“CCA”).  The CCA would then verify the parental identity and link it to the children’s mobile devices.  Codes within applications would automatically check the CCA‘s database for the required parental consent.  If the parent has not yet consented to an application’s access, h/she “must use the CCA service to review the developer's app-specific privacy disclosures and affirmatively grant consent.”  According to AgeCheq, this method “achieves the Commission's vision of a reliable, manageable, parent-curated online experience for children who use smartphones, tablets, or PCs to interact with mobile applications or other online services.”

Commenters may address any topic relating to AgeCheq’s parental consent method, but the FTC specifically encourages comments that address any of the following three questions:

  1. Is this method, both with respect to the process for obtaining consent for an initial operator and any subsequent operators, already covered by existing methods enumerated in § 312.5(b)(1) of the Rule? 
  2. If this is a new method, provide comments on whether the proposed parental consent method, both with respect to an initial operator and any subsequent operators, meets the requirements for parental consent laid out in 16 CFR 312.5(b)(1). Specifically, the Commission is looking for comments on whether the proposed parental consent method is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. 
  3. Does this proposed method pose a risk to consumers' personal information? If so, is that risk outweighed by the benefit to consumers and businesses of using this method?
If a comment addresses any of these questions, it should cite the number of the question. 

Comments are due on September 30, 2014.  Interested parties are invited to submit comments by any of the following methods:

  • Online Filing: https://ftcpublic.commentworks.com/ftc/coppaagecheqapp 
  • Mail: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex K), Washington, DC 20580 
  • Hand Delivery: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex K), Washington, DC 20024

All comments should include: “AgeCheq Application for Parental Consent Method, Project No. P-145410.”  If choosing the hard copy option, add this identifier to the envelope as well.