In 2008 both Nevada and Massachusetts passed data privacy laws requiring encryption of personal data. The Nevada law requires all businesses to encrypt personally-identifiable customer data that are transmitted electronically. The Massachusetts law requires encryption of personal information on laptops and portable devices. Both states’ laws apply not only to resident businesses, but also to out-of-state companies with operations or customers in those states. Any company doing business in all 50 states will have to comply with these data encryption requirements.

For purposes of both laws, the personal information affected by the data privacy encryption law includes an individual’s name, plus one of the following: driver’s license, credit card information, or social security number (SSN).

Both laws establish liability standards for failing to encrypt personal information as required. The Nevada law allows companies complying with the encryption requirements to benefit from a $1,000 per individual cap on liability, which are otherwise unlimited under a lawsuit for negligence. Links:

Text of Nevada data privacy security and encryption law (NRS 597.970)

Text of Massachusetts data privacy security and encryption law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth)

Michigan and Washington are among states currently considering similar laws.

CNet News reported yesterday that a new device dubbed the “Cellular Seizure Investigation Stick” (CSI Stick) from Paraben, a digital forensics company, allows a user to download all data stored in a cell phone by attaching the stick to the phone and sliding the switch. The device has a port on one end to connect into the cell phone’s charger port. Ports that match the Motorola and Samsung phones are currently available. The other end of the CSI Stick features a USB port which connects the CSI Stick to a computer for analysis of the cell phone’s data contents.

Your Attorney Says: Ya Better Watch Out
A cell phone owner’s phonebooks, call logs, text messages, photos and movies can be retrieved within a few seconds using the technology. A copy of all memory contents takes considerably longer (the product website states “this process can take many hours to complete.”) The device comes with a portable power adapter that connects to the USB port while the user is downloading the data.

Priced on the product’s website at $199, Paraben’s CSI Stick is a bargain-basement intelligence gathering tool. Want to catch your spouse cheating? Slip that cell phone off the charger for a few minutes early in the morning before the alarm goes off.  Want to find out what that competitor of yours is planning? Hang out at the same place he eats breakfast every morning and wait for nature to call — there will be trade secrets galore to be ferreted out from the CEO’s communications.

Cell phones are increasingly becoming the platform of choice to integrate data — newer models touch all business applications. The security risks are obvious and have been well-known for years: most experts consider the cell phone to be a completely unsecured device. Yet even the most security-aware businesses are full of executives who need cell phones and fill them with all kinds of sensitive business and personal data.

Compliance Department: How Will You Deal With Your Cell Phone Security Risk?
I’m predicting that mid-size businesses up through Fortune 100 companies will be adding this to the growing stack of risk management issues.

According to Finjan’s May 2008 Malicious Page of the Month (free registration required), the vulnerable health data was accessible via compromised login information for healthcare systems using Citrix remote access software. Social Security Numbers (TINs – “tax ID numbers” for individuals) were accessible via a compromised IRS employee login.

In early May, Finjan reported on a different server being controlled by hackers that contained a 1.4GB cache of stolen data. Compromised data involved 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR) and resulted in the company notifying 40 major international financial institutions and law enforcement agencies located in the US, Europe and India.

A few of my clients this week reported receiving one or more phishing emails about the 2008 Economic Stimulus Payment from the US government. Then I received one myself this morning. (“Gee, how could the IRS possibly know I switched email addresses?” was my first thought.) Here’s the email I received:

Don’t click on the link.  Don’t click on the link.
The rule is worth repeating.  Practice safe Internet computing — don’t click on a link in an email seeming to come from your bank, eBay, PayPal, or your federal government about your “account details” or to “apply” for something. Go to the official site and do your business starting from there (or investigate or report the phishing email, from there).

The grammatical and formatting errors which allow users to identify phishing scams are becoming much more subtle as the phishes and the phishers themselves become more refined. Note to Phish-Dude: there are some big issues in your general approach here. It is generally a tip-off to us where the federal government uses an exclamation (“!”) point at the end of any communication. We’re just not that officially enthusiastic about anything here in the U.S. Also, while I personally consider the stimulus payment to be a kind of ‘moral refund’ for putting up with the last 8 years of government, the payment is technically not a refund, but a disbursement. (Readers are welcome to offer other grammar and spelling observations and feedback in the Comment section.)

Clicking through (don’t click on the link!) redirects the email recipient to the following page:

While you don’t have to, I frequently amuse myself by picking the IP address out of the email link (my email program, Thunderbird, allows me to right-click and copy a link). Phishing scam emails have URL links that almost always show an IP address rather than text, as this one did:

http://211.32.47.11:443/irs_redi/

When I went to DomainTools and did a reverse IP search on the 11.32.47.11 IP address, it came back “unknown”. Finally, I also note: Thunderbird and Firefox (my recommended email and web browser software of choice) both tried to warn me several times that the email and the website were a scam. Ignoring all of this “Danger, Danger, Will Robinson!” and directing yourself straight into harm’s way is possible, but much less likely with these than it is with other software.

Introducing the PHISHY: Arborlaw’s new annual award for phishing and other email scams
Is there an annual award for phishing campaigns? I couldn’t find one, so I’m announcing the Arborlaw PHISHY™ Award. You can document your submissions for the Best Phishing Attempt of 2008 in a comment here: Arborlaw 2008 PHISHY™ Awards — Submissions Page.

Does the monitoring of cross-border communications by the United States government under the Patriot Act and the Wiretapping Act and the lack of US constitutional protection in foreign countries violate an attorney’s duty to keep client matters confidential?

Does outsourcing act as a waiver of the attorney-client privilege or otherwise permanently affect a client’s legal rights?

One law firm is concerned that the answer is ‘yes’ — and has sued the Bush administration for declaratory judgment and asked the District of Columbia and Maryland bars for ethics opinions on the matter. According to Newman McIntosh & Hennessey, US government interception of attorney-client communications is highly probable because the National Security Agency (NSA) is free to spy on foreign companies. The Newman firm filed the complaint and ethics opinion requests seeking guidance on whether outsourcing of legal services compromises constitutional rights — and wants the court to order law firms to disclose their use of outsourcing and foreign legal support to clients, and to order the US government to establish protocols to shield attorney-client information from US government surveillance.

The complaint and legal inquiry arose out of a solicitation to the Newman firm by Acumen Legal Services (India) Pvt., Ltd./Acumen Solutions, LLC (TX) to provide the law firm with outsourced litigation support. Hennessey, a named partner for the firm, is concerned that information from his personal injury and medical malpractice practice could fall into the hands of competitors who employ outsourced services, through the electronic discovery process. According to Hennessey:

It’s not paranoia. It’s just fact . . . . [N]ow that we’re outsourcing services, we have given no consideration to the ongoing practice of the government harvesting information out there.

Hennessey openly wonders whether explicit client consent should be required before any data is sent abroad.

Legal outsourcing has grown dramatically in the last decade as bandwidth has improved to easily handle large amounts of imaged data, facilitating remote document scanning and low-cost document review, primarily in India.

Here’s why this is a particularly interesting story to watch: A. large law firms are now relying heavily on the practice of outsourcing their legal document imaging and legal document review work to maintain their profit margins. B. The regulation of attorneys is almost entirely a matter of state law. I’m not aware of any federal controls over the attorney-client relationship or attorney-client privilege (except with regard to the recent encroachment on attorney-client communications in the representation of enemy combatants in connection with Guantanamo and Bush administration military tribunals).

The case has been assigned to District Judge Colleen Kollar-Kotelly (chief judge of the Foreign Intelligence Surveillance Court – although this is apparently not a FISA issue).

Tip of the hat to the Blog of Legal Times for breaking this story.

An article in today’s New York Times announced that researchers discovered that anyone can unlock data encryption on a PC hard drive merely by opening the case and blasting the chips with a can of compressed air, causing the data to remain in memory, allowing easy access in unencrypted form. Of course, this involves physical access to the computer.

I’m guessing we’re going to start seeing machines with securely sealed cases and other physical mechanisms to foil this approach.

Meanwhile, this makes me feel *so* much better about all those stories of laptops, loaded to the gills with thousands of consumer credit card numbers and other personally-identifying data records on the hard drive, and then stolen while travelling homeward with some road warrior.

Legally, I’d like to see a company in possession of my credit card number and other personally identifying data warrant and represent to me that they don’t allow data to leave their physical premises. Particularly since in the US (unlike the EU), I don’t have any effective legal controls to hold a third party entrusted with my data accountable for losing it. I’ll certainly be adding language covering this to my requirements of the vendor in my clients’ user-side development contracts.

As long as there are going to be laptops, there are going to be issues of data leaks and identity theft. (Privacy Rights Clearinghouse has documented data breaches of an estimated 218,000,000 data breaches in the US alone, here.)

Anyone know whether this can be avoided by better software or chip design?

http://www.GetMyFBIfile.com

Due to laws restricting the government’s ability to collect information on individuals and privacy/SSN issues, government information on multiple and erroneous SSNs isn’t matched up, and the agencies are currently under no duty to notify the taxpayer(s) connected with the numbers (most of whom only find out about a problem for the first time when they are subjected to an IRS audit or their credit report shows fraudulent account activity).

The overwhelming majority of duplicate social security numbers are associated with the boom in illegal immigration. Illegal workers make up a number or — with increasing frequency — steal or purchase a number (which can get passed around to several people in a community). Withholding taxes are then paid into the system under a particular number, but funds attributed to that Social Security account may in fact be coming from multiple sources. What does the Social Security Administration do with payments on accounts with ‘irregularities’? The payments are put into the Earnings Suspense File (ESF), which is a separate trust fund pool of close to $600 billion dollars in payments unmatched to a definite taxpayer (estimated total, 1Q 2007). The ESF is currently a political hot potato due to its size and association with illegal immigration and the temptation to apply it somehow towards closing the upcoming demographically-driven gap between Social Security entitlements and payments.

If a single employer has more than 10 employees with SSNs that do not match uniquely to a single wage earner, the SSA will issue the employer a ‘no match’ letter. This at least gives the information to the employer — but not to the non-employee individuals associated with the problem numbers. The Real ID Act (controversial; ostensibly passed for reasons of combating terrorism) will create a US national ID card using state-issued driver’s licenses conforming to new federal mandates scheduled to take effect on May 11, 2008. At that point, the driver’s license is widely expected to replace the SSN as a single unique identifier for individuals — but that won’t solve the existing multiple-SSN problem for taxpayers whose SSNs are currently linked to more than one person and who may not be able to find out that their credit history is sitting on a ticking time bomb.

Forwarding and republishing email raises some interesting topics. Like many questions which come to me as a business and Internet lawyer, answering this involves considering both legal and ethical issues. (I will give some general information on the law and the ethical issues; obviously this is not within an attorney-client relationship, so you should not rely on this as specific legal advice in your situation.)

From the standpoint of ‘Netiquette‘ (Internet usage ethical issues) — it is absolutely considered a breach of ethics to take a private email and repost it (publish it) to a list or a blog (weblog) without obtaining the writer’s permission in advance.

The issues of law are not so direct and straightforward.

There is copyright protection under US law for everything someone writes or creates. Copyright protection under the law automatically attaches at the moment the writing becomes tangible in ‘fixed’ form (which is satisfied by writing an email on your computer, just as it would be if you had used a pen and a pad of paper). Just because someone receives a copyrighted work from a writer of that work via email, does not give them the legal right to do anything they want with that legal work. Reproducing the work without permission (ie, without a license) is a violation of US copyright law.

There are many arguments that apply these legal principles to mailing lists and blogs and which result in different theoretical professional opinions and outcomes. Let’s look at how the issues are typically analyzed.

First, there is the basic method of reproduction: the technical method that is being used in list distribution is “forwarding” — re-sending the email via a computer program to an entire list of subscribers. If mailing lists are based on forwarding, how do “publications” such as mailing lists operate legally under US copyright laws at all? Anyone can join the list and when someone sends an email, it is sent out without explict legal permission to however many hundreds or thousands of list members.

No court that I am aware of has decided whether forwarding email which you have not written yourself, constitutes copyright infringement. But, under the plain language of section 106 of the US Copyright Act (17 USC section 106), without any other considerations taken into account, it is clear that it would be:

§ 106. Exclusive rights in copyrighted works

Subject to sections 107 through 122, the owner of copyright under this title has the exclusive rights to do and to authorize any of the following:

(1) to reproduce the copyrighted work in copies or phonorecords;

(2) to prepare derivative works based upon the copyrighted work;

(3) to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer of ownership, or by rental, lease, or lending;

(4) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly;

(5) in the case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and

(6) in the case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission.

This makes it very clear that the writer of an email controls the right of reproduction (publishing) which is mentioned in section 106 subsection (1).

However there is a doctrine in copyright law called “implied license.” Where two parties are operating as if they have an agreement of some sort, the law will “imply” that they have a certain type of agreement to match their actual conduct. (That means that if they get into a dispute, a court would look to the type of agreement it appears that they have, and imply that they have agreed to the ‘usual’ terms from that type of agreement — rather than finding no contract because no written document actually exists — because it looks like they in fact intended to have some type of agreement).

In the cyberlaw (Internet law) context, implied license theory is relied upon constantly by lawyers and legal educators. One of the most common implied license arguments is that browsing the web — the most basic Internet activity — is only legally possible by virtue of an implied license. Why? Because your computer makes a copy of every web page internally on your hard drive when you view it, and yet the author of the web page owns the copyright. Therefore, using a typical Internet browser like Internet Explorer or Firefox to view web pages results in unauthorized copies being made on thousands of people’s computers, merely by internal operation of their browser software. The implied license argument goes like this: the author of a web page obviously knows the web pages can be browsed; in fact, the author intends for them to be browsed — that’s why they are published on the Internet in an unsecured manner (ie, no password or security). Therefore, even though there is no written license in advance for those copies to be made on all those hard drives, there is an ‘implied license’ for users to access a published web page and make copies on their hard drives in the process of using their browser software.

Turning to the email forwarding issue — email is processed and accessed through a mail software application that makes forwarding automated and extremely easy in a one-step process (ie, taking a received email and ‘sending it on’ to another party). Many legal and IT professionals argue that everyone who uses email, accepts that this function exists, and is an inherent part of the way the email system architecture is designed — and that there is therefore an ‘implied license’ for anyone to forward email anywhere and everywhere they see fit.

In my professional opinion, I disagree that there is an implied license to forward email to another recipient, or to a blog, without permission. Web browsing and email are not analogous. In the case of web browsing, the author has already “published” the written work to the public at large by placing it on the Internet. It is reasonable to assume that the author of a web page means for it to be widely disseminated.

Where an email is sent to a private party, there is no reasonable assumption that the writer intended to “publish” that content to anyone and everyone. In most cases the email is meant to be private to the recipient and stay private. This is particularly true where the context of the email is that it was sent “off-list” between parties who are both on the same mailing list (or blog), and the subject of the email is related to a topic or exchange that has been public and subject to discussion on the entire mailing list (or blog) for everyone to read. In that specific context, it seems very clear that if a writer meant for an email to be published, the writer would simply send the email to the whole mailing list (or blog). Contrary to implying a license to forward such an email to a mailing list or blog, it is very clear that it is only legally reasonable that the opposite should be implied: a private email sent to a list member directly, instead of online, is very clearly meant *not to be published.* It should be implied (ie, the default should be) that there is never a legal right to do this.

Since an implied license is “implied,” it is not a written license with contract terms and it does not have a specific length or conditions about its termination. It can be revoked at any time by the writer. So, a writer can tell the recipient of an email that they have no legal right or permission to forward or republish any communications. This won’t undo the past; but it will make it very clear and set a legal precedent which will control the future.

Mailing list and blog owners can use certain techniques in an attempt to clarify copyright questions about forwarding and republication. One technique is to make each subscriber agree to a set of terms as a condition of joining, before they can participate. This is viewed as a contract between the list or blog owner and the subscriber, and the subscriber’s participation can be terminated if the rules are violated. Reposting a private email without permission is a common violation of such agreements. (Mailing list owners and bloggers can contact me for help in shaping agreements to control the behavior of their subscribers.)

Lastly, there are ethical and legal issues of privacy in forwarding email and publishing it to a mailing list or blog. Private email can contain information and contact details which the writer would never publish or disseminate. Many subscribers have an email address which they use only for mailing lists, or a user ID or ‘handle’ or nickname which they use on websites or blogs, which purposely discloses no information about them. The emails which they send privately as correspondence are sent from a different address, and frequently contain information identifying them and the means to contact them. Additionally, the content of their email may be private and not something they want publicly associated with their professional life and available on the Internet. Republishing a private email coming from an unpublished email address not only violates the writer’s expectation of control over content for copyright reasons, it also violates the writer’s expectation of privacy in any personal details which are entrusted to the recipient of the email.

Most states have their own specific laws about privacy and publicity. Generally, there is an expectation of privacy where someone has not deliberately put himself or herself into the public light. While many Internet users and commentators hold views that “people with nothing to hide don’t need privacy” and “there is no privacy on the Internet” and “information wants to be free,” the law is not there yet. Sending private email to a party gives the writer a reasonable expectation of privacy that it will not be republished to the world at large.

Those are the standard professional legal and ethical arguments. Even so, I can’t point to a single court decision setting precedent on the email forwarding issue. This is because, as far as I know, nobody has taken these issues to court to resolve them. Corrective action in the world of private email exchanges almost never merits the thousands of dollars involved in copyright and privacy lawsuits. Also, the most effective remedy on the Internet really is typically found in the ‘court of public opinion.’ Writers who have been wronged by the unauthorized publication of their private email to a mailing list or blog usually “out” the republisher as a violator of the well-known rules of Internet usage and copyright and privacy laws. The unauthorized republisher frequently suffers a loss of reputation among the list or blog participants from this and in many cases will be banned from further participation in the list or blog by an owner who actively polices subscriber conduct.