What Is Legally Defensible Data Security?
By Professor Jim O’Reilly
Questions we didn’t even think about a few years ago rocked the hall at this session: What data security is defensible against claims that the breach of privacy was the predictable fault of the “negligent” data holder? How much should the public expect to be accorded “adequate” security for personal data in large data systems? How much should large data handlers pay in compensation when their system “leaks,” and criminals misuse the data? How much could our clients lose?
Three experts on data security from the United States and Canada explained the consequences of failed protections for the audience. The Federal Trade Commission, Health and Human Services, and other entities are looking at privacy losses with a presumption that a breach was a result of errors in the company’s system.
Defending these cases can be costly, as Peter McLaughlin of Boston explained. Toronto barrister Michael Power applied Canada’s lessons, and David Navetta of Denver provided useful technical insights for companies. The longer-term strategies for in-house counsel should be constant retraining, IT cooperative relations, and strategic alignment with IT vendors.
The CSI Effect: What Have We Learned Over the Last Decade?
By Mathew Schantz
All across the country attorneys worry about the encroaching influence of television shows. Programs like Bones and CSI have opened the forensic world to the masses and raised the bar for juror expectations.
Dr. Kathleen Reichs, a forensic anthropologist and author of the Temperance Brennan novels, said that the shows err on the side of facts, and while they do not promote myth, they do play around with probability. “Will there be that one piece of evidence that links everything together in a case? Probably not.” Dr. Michael Baden, who worked on the investigation into President Kennedy’s assassination, stated that forensic science is pro-prosecution. “Scientists and judges should not be advocates.” When working on autopsies of a homicide victim, pathologists cannot follow what the prosecution’s theory of the case is: “they must follow the science.”
The misconception is that jurors believe that DNA evidence should be available in most felony cases. In actuality, DNA is only found in about 15 percent of all murder cases. While this lack of evidence may inhibit a criminal case, the real culprit is “bad science.” Dr. Baden states that judges may fall prey to bad science by accepting “forensic experts” with no real science to back up their findings. It is these self-proclaimed scientists that skew the public’s idea of what evidence can or should be found in a crime scene. Judge Donald Shelton of Ann Arbor conducted a series of surveys searching for the link between jurors watching shows like CSI and their expectations when the evidence is presented. These surveys found that there was no correlation between the two. “Blaming television is too simplistic an approach. There is no CSI effect.” Regardless of whether the effect exists, jurors need to understand that some forensic evidence may not exist.
Hot Topics in Internet Law and Strategy
By Amy Sanders
Audience members using iPads and BlackBerries broadcast this session through social media channels such as Twitter, thumbs flurrying as the audience engaged with panelists Ian Ballon, Christine Dekker, and Betsy Bayha. The trio emphasized online transparency, recognizing that constant change means technology talk must revolve around behavior instead of technology itself.
In the explosion of Internet law class action cases, misuse of consumer data though various technologies is a concerning behavior playing a leading role. The panel advised that website privacy policies be drafted with keen awareness of the rapidly changing regulatory environment that aims to protect consumers.
Transparency is also paramount with Internet “clickwrap” and “browsewrap” contracts. Internet users commonly encounter unilateral contracts online, some of which raise implied consent issues (e.g., “browsewrap” terms of service contracts simply posted on a website without requiring explicit user consent). Opt-in “clickwrap” agreements are generally a best practice, because the consumer is properly informed and their acceptance is clear.
To keep abreast of trends in Internet law, try tapping into Twitter feeds using hashtags like #SciTechEdge or by following @ABASciTech.
Cloud Computing: Evolution or Revolution?
By Anthony Macauley
Stephen N. Hollman, a principal of Business & Technology Law Group, explained how cloud computing means more than moving data offsite. One can scale those offsite services to fit one’s needs. Demand for services and resources can be elastic.
All the panelists agreed that risks abound. David L. McClure, an associate administrator of the GSA Office of Citizen Services and Innovative Technologies, and Mr. Hollman suggested questions to assess risk. How much transparency, privacy, and security is there? What is enough?
John P. Tomaszewski, TRUSTe’s general counsel, noted that every cloud computing consumer/customer or advisor should assume a breach. What are the obligations? Reasonable precautions and reasonable contracts keep changing.
David Cearley, vice president and Gartner Fellow at Gartner Research, asked how lost data will be tracked. Mr. Hollman asked the audience to consider what laws apply following a breach. What are the relevant laws in the US, EU, Canada, India, and other countries? Where is the data kept? What jurisdictions does it move through?
Frank H. Morrow, Associate General Counsel, Microsoft, talked about the Patriot Act, which allows the government to compel production of data from any country. European nations are particularly concerned about these demands for data. Mr. Morrow asked whether they must tell consumers that the government has asked them to provide data.
Edith Ramirez, a Commissioner of the Federal Trade Commission, pointed out that her organization recently issued a report of best practices in cloud computing. That report should be a starting point for everyone going forward.