Cyber Security

Data Breach and Business Judgment

Quang Trang, MJLST Staffer

Data breaches are a threat to major corporations. Corporations such as Target Co. and Wyndham Worldwide Co. have been victim of mass data breaches. The damage caused by such breaches have led to derivative lawsuits being filed by shareholders to hold board of directors responsible.

In Palkon v. Holmes, 2014 WL 5341880 (D. N.J. 2014), Wyndham Worldwide Co. shareholder Dennis Palkon filed a lawsuit against the company’s board of directors. The judge granted the board’s motion to dismiss partially because of the Business Judgment Rule. The business judgement rule governs when boards refuse shareholder demands. The principle of the business judgment rule is that “courts presume that the board refused the demand on an informed basis, in good faith and in honest belief that the action taken was in the best interest of the company.” Id. The shareholder who brings the derivative suit has the burden to rebut the presumption that the board acted in good faith or that the board did not base its decision on reasonable investigation.

Cyber security is a developing area. People are still unsure how prevalent the problem is and how damaging it is. It is difficult to determine what a board needs to do with such ambiguous information. In a time when there is no set corporate cyber security standards, it is difficult for a shareholder to show bad faith or lack of reasonable investigation. Until clear standards and procedures for cyber security are widely adopted, derivative suits over data breaches will likely be dismissed such as in Palkon.


E.C.J Leaves U.S. Organizations to Search for Alternative Data Transfer Channels

J. Adam Sorenson, MJLST Staffer

The Court of Justice of the European Union (E.C.J.), the European’s top court, immediately invalidated a 15-year-old U.S. EU Safe Harbor Program Oct. 6th (Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14, 10/6/15). This left the thousands of businesses which use this program without a reliable and lawful way to transfer personal data from the European Economic Area to the United States.

The Safe Harbor Program was developed by the U.S. Department of Commerce in consultation with the European Commission. It was designed to provide a streamlined and cost-effective means for U.S. organizations to comply with the European Commission’s Directive on Data Protection (Data Protection Directive) which went into effect October of 1998. The program allowed U.S. organizations to voluntarily join and freely transfer personal data out of all 28 member states if they self-certify and comply with the programs 7 Safe Harbor Privacy Principles. The program was enforced by the U.S. Federal Trade Commission. Schrems v. Data Prot. Comm’r, however, brought a swift halt to the program.

This case revolves around Mr. Schrems, an Australian Facbook user since 2008 living in Austria. Some or all of the data collected by the social networking site Facebook is transferred to servers in the United States where it undergoes processing. Mr. Schrems brought suit against the Data Protection Commissioner after he did not exercise his statutory authority to prohibit this transfer. The case applied to a 2000 decision by the European Commission which found the program provided adequate privacy protection and was in line with the Data Protection Directive. The directive prohibits “transfers of personal data to a third country not ensuring an adequate level of protection.”(Schrems) The directive goes on to say that adequate levels may be inferred if a third country ensures an adequate level of protection.

The E.C.J. found that the current Safe Harbor Program did not ensure an adequate level of protection, and therefore found the 2000 decision and the program itself as invalid. This means all U.S. organizations currently transferring personal data out of the EEA are doing so in violation of the Data Protection Directive. This case requires U.S. organizations to find alternative methods of approved data transfer, which generally means seeking the approval of data protection authorities in the EU, which can be a long process.

Although the EU national data protection authorities may allow for some time before cracking down on these U.S. organization, this decision signals a massive shift in the way personal data is transferred between the U.S. and Europe, and will most likely have ripple effects throughout the data privacy and data transfer worlds.


Cyber Intrusions

Hana Kidaka, MJLST Staffer

On November 24, 2014, hackers stole confidential information from the servers of Sony Pictures Entertainment. The hackers claimed to have stolen 100 terabytes of confidential information, including employee Social Security numbers, e-mail conversations between executives, and unreleased films. This Sony hack and “[t]he dramatic increase in cyber intrusions” led the Obama Administration to issue legislative proposals on January 13, 2015 in hopes of strengthening cybersecurity. The Administration’s proposals attempt to: “(1) enhance cybersecurity threat information sharing within the private sector and with the Federal Government; (2) establish a single standard to protect individuals by requiring businesses to notify them if their personal information is compromised; and (3) strengthen the ability of law enforcement to investigate and prosecute cybercrimes.”

Following the legislative proposals, President Obama signed executive orders that encourage companies to share cybersecurity information with each other and the government and that allow the government to impose penalties on foreign “individuals or entities that engage in significant malicious cyber-enabled activities.” The President has also been in talks with foreign governments to strengthen cybersecurity. For example, on September 25, 2015, President Obama announced that the U.S. and China have agreed to work together to prevent cybercrimes by providing “timely responses . . . to requests for information and assistance concerning malicious cyber activities” and by “identify[ing] and promot[ing] appropriate norms of state behavior in cyberspace within the international community.” While this is a small step in the right direction, it is important that our federal government establish a comprehensive cybersecurity legal framework that will effectively combat against cyber threats, but also take into account the privacy concerns of many individuals and companies. It will be interesting to see if and how Congress will address these conflicting interests in the near future.


The Shift Toward Data Privacy: Workplace, Evidence, and Death

<Ryan Pesch, MJLST Staff Member

I’m sure I am not alone in remembering the constant urgings to be careful what I post online. I was told not to send anything in an email I wouldn’t want made public, and I guess it made some sense that the internet was commonly viewed as a sort of public forum. It was the place teens went to be relieve their angst, to post pictures, and to exchange messages. But the demographic of people that use the internet is constantly growing. My mom and sister communicate their garden interests using Pinterest (despite the fact that my mom needs help to download her new podcasts), and as yesterday’s teens become today’s adults, what people are comfortable putting online continues to expand. For example, the advent of online finances illustrate that the online world is about so much more than frivolity. The truth of the matter is that the internet shapes the way we think about ourselves. And as Lisa Durham Taylor observed in her article for MJLST in the spring of 2014, the courts are taking notice.

The article concerns the role of internet privacy in the employment context, noting that where once a company could monitor its employee’s computer activity with impunity (after all, it was being done on the company time and with company resources), courts have recently realized that the internet stands for more than dalliance. In it, Taylor notes that the connectedness of employees brings with it both advantages and disadvantages to the corporation. It both helps and hinders productivity, offering a more efficient way of accomplishing a task, but providing the material for procrastination in an accompanying hand. When the line blurs, and people start using company time for personal acts, the line-drawing can get tricky. Companies have an important interest in preserving the confidentiality of their work, but courts have recently been drawing the lines to favor the employee over the employer. This is in stark contrast to the early decisions, which gave companies a broad right to discharge an “at-will” employee and found that there was no expectation of privacy in the workplace. Luckily, courts are beginning to recognize that the nature of a person’s online interactions make the company’s snooping more analogous to going through an employee’s personal possessions than it is to monitoring an employee’s efficiency.

I would add into the picture the recently-decided Supreme Court case of Riley v. California, where the Court held that a police needed a warrant to search a suspect’s phone. The Court said that there was not reasonable cause to search a cell phone because the nature of the technology means that the police would be violating more than necessary to conduct normal business. They likened it to previous restrictions which prevented police from searching locked possessions incident to arrest, and sarcastically observed that cell phones have become “such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.” The “vast quantities of personal information” and the fact that the phone itself is not a weapon make its taking unjustified in the course of a normal search.

This respect for the data of individuals seems to be signaling a new and incredibly complicated age of law. When does a person have the right to protect their data? When can that protection be broken? As discussed in a recent post on this blog, there is an ongoing debate about what to do with the data of decedents. To me, a conservative approach makes the most sense, especially in context with the cases discussed by Lisa Taylor and the decision in Riley v. California. However, courts have sided with those seeking access because the nature of a will grants the property of the deceased to the heirs, which has been extended to online “property.” What Rebecca Cummings points out to help swing the balance back in favor of privacy, is that it is not just the property of the deceased to which you are granting access. The nature of email means that a person’s inbox has copies of letters from others which may have never been intended for the eyes of someone else.

I can only imagine the number of people who, had they the presence of mind to consider this eventuality, would act differently either in the writing of their will or their management of their communications. I am sure that this is already something lawyers advise their clients about when discussing their plans for their estate, but for many, death comes before they have the chance to fully consider these things. As generations who have grown up on the internet start to encounter the issue in earnest, I have no doubt that the message will spread, but I can’t help but feel it should be spreading already. So: what would your heirs find tucked away in the back of your online closet? And if the answer to that is something you’d rather not think about, perhaps we should support the shift to privacy in more aspects of the digital world.


I’m Not a Doctor, But…: E-Health Records Issues for Attorneys

Ke Huang, MJLST Lead Articles Editor

The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) generally provides that, by 2015, healthcare providers must comply with the Act’s electronic health record (EHR) benchmarks, or, the government would reduce these providers’ Medicare payments by one percent.

These provisions of the HITECH Act are more than a health policy footnote. Especially for attorneys, the growing use of EHRs raises several legal issues. Indeed, in Volume 10, Issue 1 of the Minnesota Journal of Law, Science & Technology, published six years ago, Kari Bomash analyzes the consequence of EHRs in three legal-related aspects. In Privacy and Public Health in the Information Age, Bomash discusses how a Minnesota Health Records Act amendment relates to: (1) privacy, especially consent of patients, (2) data security (Bomash was almost prescient given the growing security concerns), and (3) data use regulations that affect medical doctors.

Bomash’s discussion is not exhaustive. EHRs also raise legal issues running the gamut of intellectual property, e-discovery, to malpractice. Given that software runs EHRs, IP industry is very much implicated. So much so that some proponents of EHR even support open source. (Another MJLST Article explains the concept of open source.)

E-discovery may be more straightforward. Like other legal parties maintaining electronic stored information, health entities storing EHR must comply with court laws governing discovery.

And malpractice? One doctor suggested in a recent Wall Street Journal op-ed that EHR interferes with a doctor’s quality of care. Since quality of care, or lack thereof, is correlated with malpractice actions, commentators raised the concern that EHR could raise malpractice actions. A 2010 New England Journal of Medicine study addressed this topic but could not provide a conclusive answer.

Even my personal experience with EHRs is one of the reasons that lead me to want to become an attorney. As a child growing up in an immigrant community, I often accompanied adult immigrants, to interpret in contract closings, small-business transactions, and even clinic visits. Helping in those matters sparked my interest in law. In one of the clinic visits, I noticed that an EHR print-out of my female cousin stated that she was male. I explained the error to her.

“I suppose you have to ask them to change it, then,” she said.

I did. I learned from talking to the clinic administrator the EHR software was programmed to recognize female names, and, for names that were ambiguous, as was my cousin’s, the software automatically categorized the patient as male. Even if my cousin’s visit was for an ob-gyn check-up.


Is the US Ready for the Next Cyber Terror Attack?

Ian Blodger, MJLST Staff Member

The US’s military intervention against ISIL carries with it a high risk of cyber-terror attacks. The FBI reported that ISIL and other terrorist organizations may turn to cyber attacks against the US in response to the US’s military engagement of ISIL. While no specific targets have been confirmed, likely attacks could result in website defacement to denial of service attacks. Luckily, recent cyber terror attacks attempting to destabilize the US power grid failed, but next time we may not be so lucky. Susan Brenner’s recent article, Cyber-threats and the Limits of Bureaucratic Control, published in the Minnesota Journal of Law Science and Technology volume 14 issue 1, describes the structural reasons for the US’s vulnerabilities to cyber attacks, and offers one possible solution to the problem.

Brenner argues that the traditional methods of investigation do not work well when it comes to cyber attacks. This ineffectiveness results from the obscured origin and often hidden underlying purpose of the attack, both of which are crucial in determining whether a law enforcement or military response is necessary. The impairment leads to problems assessing which agency should control the investigation and response. A nation’s security from external attackers depends, in part, on its ability to present an effective deterrent to would be attackers. In the case of cyber attacks, however, the US’s confusion on which agency should respond often precludes an efficient response.

Brenner argues that these problems are not transitory, but will increase in direct proportion to our reliance on complex technology. The current steps taken by the US are unlikely to solve the issue since they do not address the underlying problem, instead continuing to approach cyber terrorists as conventional attackers. Concluding that top down command structures are unable to respond effectively to the treat of cyber attacks, Brenner suggests a return to a more primitive mode of defense. Rather than trusting the government to ensure the safety of the populace, Brenner suggests citizens should work with the government to ensure their own safety. This decentralized approach, modeled on British town defenses after the fall of the Roman Empire, may avoid the ineffective pitfalls of the bureaucratic approach to cyber security.

There are some issues with this proposed model for cyber security, however. Small British towns during the early middle ages may have been able to ward off attackers through an active citizen based defense, but the anonymity of the internet makes this approach challenging when applied to a digitized battlefield. Small British towns were able to easily identify threats because they knew who lived in the area. The internet, as Brenner concedes, makes it difficult to determine to whom any given person pays allegiance. Presumably, Brenner theorizes that individuals would simply respond to attacks on their own information, or enlist the help of others to fed off attacks. However, the anonymity of the internet would mean utter chaos in bolstering a collective defense. For example, an ISIL cyber terrorist could likely organize a collective US citizen response against a passive target by claiming they were attacked. Likewise, groups utilizing pre-emptive attacks against cyber terrorist organizations could be disrupted by other US groups that do not recognize the pre-emptive cyber strike as a defensive measure. This simply shows that the analogy between the defenses of a primitive British town and the Internet is not complete.

Brenner may argue that her alternative simply calls for current individuals, corporations, and groups to build up their own defenses and protect themselves from impending cyber threats. While this approach would avoid the problems inherent in a bureaucratic approach, it ignores the fact that these groups are unable to protect themselves currently. Shifting these groups’ understanding of their responsibility of self defense may spur innovation and increase investment in cyber protection, but this will likely be insufficient to stop a determined cyber attack. Large corporations like Apple, JPMorgan, Target, and others often hemorrhage confidential information as a result of cyber attacks, even though they have large financial incentives to protect that information. This suggests that an individualized approach to cyber protection would also likely fail.

With the threat of ISIL increasing, it is time for the United States to take additional steps to reduce the threat of a cyber terror attack. At this initial stage, the inefficiencies of bureaucratic action will result in a delayed response to large-scale cyber terror attacks. While allowing private citizens to band together for their own protection may have some advantages over government inefficiency, this too likely would not solve all cyber security problems.


Apple’s Bark Is Worse Than Its Bite

Jessica Ford, MJLST Staff

Apple’s iPhone tends to garner a great deal of excitement from its aficionados for its streamlined aspects and much resentment from users craving customization on their devices. Apple’s newest smartphone model, the iPhone 6, is no exception. However, at Apple’s September 9, 2014 iPhone 6 unveiling, Apple announced that the new iOS 8 operating system encrypts emails, photos, and contacts when a user assigns a passcode to the phone. Apple is unable to bypass a user’s passcode under the new operating system and is accordingly unable to comply with government warrants demanding physical data extraction from iOS 8 devices.

The director of the FBI, James Comey, has already voiced concerns that this lack of access to iOS 8 devices could prevent the government from gathering information on a terror attack or child kidnappings.

Comey is not the only one to criticize Apple’s apparent attempt to bypass legal court orders and warrants. Orin Kerr, a criminal procedure and computer crime law professor at The George Washington University Law School, worries that this could essentially nullify the Supreme Court’s finding in Riley v. California this year which requires the police to have a warrant before searching and seizing the contents of an arrested individual’s cell phone.

However, phone calls and text messages are not encrypted, and law enforcement can gain access to that data by serving a warrant upon wireless carriers. Law enforcement can also tap and monitor cellphones by going through the same process. Any data backed to iCloud, including iMessages and photos, can be accessed under a warrant. The only data that law enforcement would not be able to access without a passcode is data normally backed up to iCloud that still remains on the device.

While security agencies argue otherwise, iOS 8 seems far from rendering Riley’s warrants useless. Law enforcement still has several viable options to gain information with a warrant. Furthermore, the Supreme Court has already made it clear that it does not find that the public’s interest in solving or preventing crimes outweighs the public’s interest in privacy of phone data, even when there is a chance that the data on a cell phone at issue will be encrypted once the passcode locks the phone,

“[I]n situations in which . . . an officer discovers an unlocked phone, it is not clear that the ability to conduct a warrantless search would make much of a difference. The need to effect the arrest, secure the scene, and tend to other pressuring matters means that law enforcement officers may well not be able to turn their attention to a cell phone right away . . . . If ‘the police are truly confronted with a ‘now or never’ situation,’ . . . they may be able to rely on exigent circumstances to search the phone immediately . . . . Or, if officers happen to seize a phone in an unlocked state, they may be able to disable a phone’s automatic-lock feature in order to prevent the phone from locking and encrypting data . . . . Such a preventive measure could be analyzed under the principles set forth in our decision in McArthur, 531 U.S. 326, 121 S.Ct. 946, which approved officers’ reasonable steps to secure a scene to preserve evidence while they awaited a warrant.” (citations omitted) Riley v. California, 134 S. Ct. 2473, 2487-88 (2014).

With all the legal recourse that remains open, it appears somewhat hasty for the paragon-of-virtue FBI to be crying “big bad wolf.”


Anti-Cyberbullying State Statutes Should Prompt a Revisiting of the Communications Decency Act

Nia Chung, MJLST Staff

Cyberbullying comes in varying forms. Online outlets with user identification features such as Facebook and MySpace give third party attackers a platform to target individuals but remain identifiable to the victim. The transparency of identification provided on these websites allows victims the ability of possible redress without involving the Internet Service Providers (ISPs).

In February 2014, Bryan Morben published an article on cyberbullying in volume 15.1 of the Minnesota Journal of Law, Science and Technology. In that article Mr. Morben wrote that Minnesota’s new anti-cyberbullying statute, the “Safe and Supportive Minnesota Schools Act” H.F. 826 would “reconstruct the Minnesota bullying statute and would provide much more guidance and instruction to local schools that want to create a safer learning environment for all.” Mr. Morben’s article analyzes the culture of cyberbullying and the importance of finding a solution to such actions.

Another form of cyberbullying has been emerging, however, and state initiatives such as the Safe and Supportive Minnesota Schools Act may prompt Congress to revisit current, outdated, federal law. This form of cyberbullying occurs on websites that provide third parties the ability to hide behind the cloak of anonymity to escape liability for improper actions, like 4chan and AOL.

On September 22, 2014, British actress Emma Watson delivered a powerful U.N. speech about women’s rights. Less than 24 hours later, a webpage titled “Emma You Are Next” appeared, displaying the actress’s face next to a countdown, suggesting that Ms. Watson would be targeted this Friday. The webpage was stamped with the 4chan logo, the same entity that is said to have recently leaked celebrity photos of actresses including Jennifer Lawrence, this past summer. On the same website, one anonymous member responded to Ms. Watson’s speech by stating “[s]he makes stupid feminist speeches at UN, and now her nudes will be online.” Problematically, the law provides no incentive for such ISPs to remove such defamatory content because they are barred from liability by a federal statute. The Communications Decency Act, 47 U.S.C. § 230, provides, “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Essentially, this provision provides ISPs immunity from tort liability for content or information generated on a user-generated website. Codified in 1996, initially to regulate pornographic material, the statute added sweeping protection for ISPs. However, 20 years ago, the internet was relatively untouched and had yet to realize its full potential.

Courts historically have applied Section 230 broadly and have prevented ISPs from being held liable for cyberbullying actions brought from victims of cyberbullying on its forum. For example, the Ninth Circuit upheld CDA immunity for an ISP for distributing an email to a listserv who posted an allegedly defamatory email authored by a third party. The Fourth Circuit immunized ISPs even when they acknowledged that the content was tortious. The Third Circuit upheld immunity for AOL against allegations of negligence because punishing the ISP for its third party’s role would be “actions quintessentially related to a publisher’s role.” Understandably, the First Amendment provides the right to free exchange of information and ideas, which gives private individuals the right to anonymous speech. We must ask, however, where the line must be drawn when anonymity serves not as a tool to communicate with others in a public forum but merely as a tool to bring harm to individuals, their reputations and their images.

In early April of this year, the “Safe and Supportive Minnesota Schools Act was approved and officially went into effect. Currently, http://www.cyberbullying.us/Bullying_and_Cyberbullying_Laws.pdf have anti-cyberbullying statutes in place, demonstrating positive reform in keeping our users safe in a rapidly changing and hostile online environment. Opinions from both critics and advocates of the bill were voiced through the course of the bill’s passing, and how effectively Minnesota will apply its cyberbullying statute remains to be seen. A closer look at the culture of cyberbullying, as is discussed in Mr. Morben’s article, and the increasing numbers of anti-cyberbullying state statutes, however, may prompt Congress to revisit Section 230 of the Communications Decency Act, to at least modestly reform ISP immunity and give cyber-attacks victims some form of meaningful redress.


Making the Case for Public-Private Collaboration in the Fight Against Cybercrime

by Ryan Connell, UMN Law Student, MJLST Lead Articles Editor

In Cyber-Threats and the Limits of Bureaucratic Control, Volume 14, Issue 1 of the Minnesota Journal of Law, Science & Technology, Professor Susan Brenner delivered a thoughtful and compelling analysis of the current state of the United States Government’s approach to cybercrime. Professor Brenner advocates for a new threat-control strategy. Specifically, Professor Brenner urges us to abandon the rigid hierarchical structures that currently define our strategy. Professor Brenner instead would support a system that correlates with the lateral networked structures that are found in cyberspace itself.

Almost certainly, cybercrime must be at the forefront of our concerns. Hackers across the globe constantly threaten government secrets. In the private sector, corporations’ data also provide lucrative targets for hackers.

As Professor Brenner points out, we, as a country, have given the government complete responsibility for addressing the cybercrime threat. The problem however, is that the government has distributed its response among the many agencies that comprise the government. This has created a fragmented response where agencies either needlessly repeat each other’s work or operate in the dark due to a lack of information sharing between the agencies. Overall, this response has left many, particularly in the corporate world, feeling dissatisfied with the government.

Unfortunately, this dissatisfaction in the corporate world has damaged the government’s ability to address cybercrime in the private sector. For instance, although private industry has spent in upwards of 300 billion dollars to fight hackers, only one third of companies report cybercrimes to the government. This may suggest that the companies think they can solve the problem better than the government can. It bears mentioning that this problem is not unique the United States. The United Kingdom, for instance, has suffered similar problems. Indeed, in the UK, banks are more likely to simply reimburse most victims of cybercrime than they are to report it to the government.

Professor Brenner has presented an interesting and plausible solution. She has recognized that the Internet itself is community-based and is laterally networked. Accordingly, it is difficult to address the problems raised by cybercrime using a vertically networked system. The government should encourage and facilitate civilian participation in the fight against cybercrime. The government should recognize that it alone cannot solve this problem. Cybercrime is a solution that takes more than government to solve; it takes a government and its citizens.


Cyber Security Investigation and Online Tracking

by Ude Lu, UMN Law Student, MJLST Staff.

Ude-Lue.jpgOn April 18th, 2013, Cyber Intelligence Sharing and Protection Act (CISPA) was passed with wide spread controversies. CISPA aims to help national security agencies to investigate cyber threats by allowing private companies, such as Google and Facebook, to search users’ personal data to identify possible threats. Commentators argue that CISPA compromises the Fourth Amendment, because, under CISPA, agencies can get privacy data of suspects identified by the privacy companies without a judicial order. CISPA bridges the gap between crime investigations and the privacy data stored and analyzed by social media companies.

Google and Facebook regularly track their user’s online behaviors, such as websites they visited or products they purchased, to figure out their personal preferences to perform targeted advertisements. These personal behavior analyses raise serious privacy concerns. Omer Tene and Jules Polonetsky in their article published in Volume 13 Issue 1 of the Minnesota Journal of Law Science and Technology, To Track or “Do Not Track: Advancing Transparency and Individual Control in Online Behavioral Advertising discussed these privacy concerns.

Tene and Polonetsky described that while targeted advertisement provides many advantages, one particular criticism is that users are deprived from meaningful control of their data. This led to various administrative proposals in the US and EU. In the US, FTC proposed “Do Not Track”, a signal sent by users’ browser to internet content providers requesting them not to track cookies. In the EU, the e-Privacy Directive required an opt-in consent for cookie tracking. The authors argue that whether cookie tracking should be “opt-in” or “opt-out” depends on how tracking is valued by the society. If the society in general values tracking as a positive measure to provide valuable services, then opt-out should be applied. On the contrary, if tracking is viewed by the society as an invasion to privacy, then opt-in should be applied.