Richmond Journal of Law and Technology

The first exclusively online law review.

Category: Blog Posts

Blog: The New Cybersecurity Executive Order

By

On March 6, 2013

In Blog Posts

By Airen Adamonis, Copy Editor          

The United States is currently at war with China.  However, this war is not taking place on any battlefields.  It’s taking place in cyberspace.  According to a recent article published by the Washington Post, the United States has been the target of an immense “cyber-espionage campaign” that is threatening the country’s economic competitiveness.

            Just days after a private security firm released a study accusing the Chinese military of carrying out numerous cyber-attacks against U.S. businesses, the Obama Administration released a long-awaited Executive Order on cybersecurity measures.  The Executive Order on Improving Critical Infrastructure Cybersecurity (the “Order”), released on February 12, 2013, has a goal to address cyber threats through a strengthened partnership between the U.S. Government and critical infrastructure owners.  To accomplish this goal, the Order:

  •   Requires the development of new information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies;
  •   Requires the NIST’s creation of a Framework of cybersecurity practices (“Cybersecurity Framework”) to reduce cyber risks to critical infrastructure;
  •   Compels agencies to conduct regular assessments of privacy and civil liberties impacts of their activities and to make such assessments available to the public;
  •   Establishes a voluntary program to promote the adoption of the Cybersecurity Framework, which will provide incentives for companies to comply; and
  •   Calls for a review of existing cybersecurity regulation.

 

What does all of this mean for businesses?  For now, it does not mean much since none of the industries covered by the order will actually have to meet the completely voluntary standards.  According to Hunton & Williams’ Privacy Blog, the Order could potentially impact businesses in the following ways:

(1)   Businesses in the private sector will receive a surge of notifications from the government concerning cyber threats and recommended ways to respond to threats based on a process developed by the Department of Homeland Security (“DHS”).  The current DHS process mainly shares classified cyber threats only with defense companies, but under the new Order, information will be shared with other critical infrastructure companies, such as energy companies.

(2)   Critical infrastructure companies and secondary actors (i.e. insurance companies) will be able to voluntarily use the new Cybersecurity Framework to address potential risks.  Since participation is completely voluntary, it is likely that DHS will create incentives for companies to comply.  An example included in the Order is the call for a review of the federal procurement process to create a preference for vendors who meet the Cybersecurity Framework standards.

(3)   Certain private sector companies, who if targeted would have a devastating effect, will be named on a list of “Critical Infrastructure at Greater Risk.”  If added onto the list, companies can request reconsideration of their inclusion on the list.  However, this list does not change the fact that compliance with the Framework remains completely voluntary.

Although the new Order appears to be a positive step in the right direction by encouraging information sharing between the public and private sectors, it is unlikely that it is enough to prevent what seems like an inevitable national cybersecurity catastrophe.  Congress needs to make the next move fast.

 

 

Additional Sources:

 

http://www.huntonprivacyblog.com/2013/02/articles/obama-signs-presidential-policy-directive-on-critical-infrastructure-security-and-resilience/

http://www.huntonprivacyblog.com/2013/02/articles/observations-on-the-cybersecurity-executive-order-and-presidential-policy-directive/

http://www.bna.com/president-obama-signs-n17179872423/

http://www.whitehouse.gov/sites/default/files/uploads/07_eo_quotes_02132013.pdf

Blog: DNA Profiling: An Invaluable Tool or a 4th Amendment Violation?

By

On February 12, 2013

In Blog Posts

By: Kevin McCann, Associate Tech Editor

While technological innovation undoubtedly makes lives easier, that is not always the case for the justices of the Supreme Court when it comes to interpreting the Constitution. From arising 1st amendment issues with the introduction of online social media to 2nd amendment debates over the development of new firearms, the Supreme Court is routinely challenged to figure out how new technology should fit into legal doctrines and constitutional provisions drafted hundreds of years ago. Next month, the Supreme Court will have to yet again determine how a technological innovation should be applied to constitutional law.

 

The Supreme Court will hear oral arguments on whether the law enforcement practice of collecting DNA samples from individuals, who are arrested for but not yet convicted of violent crimes and other felonies, violates the 4th amendment. The samples are collected through a cheek swab of the arrestee’s mouth and then compiled into a national police database. With this database, law enforcement agencies can then attempt to match the DNA of the current arrestee with DNA collected in previous unsolved crimes.

 

This action arose in Maryland, where a man named Alonzo King was arrested in 2009 on charges of assault. Due to the severity of King’s felony charges, under Maryland Statute, King was required to have a DNA swab taken. Once the DNA profile was uploaded to the database, the law enforcement agency learned that King’s DNA matched evidence from an unsolved rape in 2003. The victim in the 2003 crime was unable to identify her attacker. However, with this new DNA match, a grand jury indicted King. After trying unsuccessfully to suppress evidence of the original DNA swab from his 2009 arrest, King was convicted of the rape charges and sentenced to life in prison.

 

Prior to this case came another situation in 2004 where the Maryland Statute’s cheek swab requirement was challenged. In Maryland v. Raines, an incarcerated felon was required to submit to the DNA cheek swab test. He was also matched in the criminal database and was charged with a prior unsolved sexual assault. When he sought to suppress the DNA cheek swab, the Maryland Court of Appeals founded that as an incarcerated individual, Raines “enjoy[ed] less liberty than that of ordinary citizens”, and therefore his 4th amendment rights were not violated.

 

However, King can be distinguished from Raines because the individual seeking to suppress evidence stemming from an unreasonable search and seizure in King was not incarcerated but rather only arrested. The Supreme Court has stated that the key to analyzing whether a search is appropriate under the Fourth Amendment is to take into consideration whether an individual has a ‘reasonable expectation of privacy’ as to the focus of the search and whether the government’s interest outweighs that expectation. Therefore the question emerges as to whether an arrested individual would be reasonable to expect a higher level of privacy over an individual that is already incarcerated, and whether that higher expectation level is enough to render the DNA swab an unreasonable search under the 4th amendment. Oral Arguments will be held on February 26.

 

Additional Sources:

–          http://www.cnn.com/2012/11/09/justice/court-dna/index.html

–          http://www.scotusblog.com/?p=157481

–          http://epic.org/amicus/dna-act/maryland/

–          Maryland v. Raines, 857 A.2d 19 (Md. 2004)

Blog: Metadata: Can You Use It? Should You Scrub It? It Depends Where You Are

By

On November 26, 2012

In Blog Posts

By Associate Tech Editor Hayley Mohr

“If you have it, you should not show it to others. If you receive it, you cannot look at it.”  The previous statement is not a riddle, rather; it’s a paraphrase of Arizona’s Ethics Opinion on the use of metadata.  Contrast this outlook with Oregon’s, among other states, which allows attorneys to use it if they do not use a”special software” to view the data – in other words, if you can find it without looking too hard, it’s yours! So, what is metadata, and why does the permissiveness of its use and transmission vary so widely from state to state?

Metadata, which exists in several different types but is often termed “data about data”, has become a near-minefield to parties to litigation and the attorneys that represent them.  A common example of metadata is a word processor file that contains information about when the file was created, and when it was last edited.  It becomes dangerous quickly, when one considers the vast features available in a standard word processing program: documents can contain “erased” sentences and information –after all, in order for the “undo” button to work, the file has to “remember” what the previous version contained.

One of the most changing and varied areas of law at the moment is the proper use of metadata: both when it accompanies documents produced in response to a discovery request and outside of formal discovery.  Contrary to the “show no metadata, see no metadata” approach of many states, one of the earliest and cases to deal with the proper use of metadata, Williams v. Sprint[1],  held that the defendant in an age discrimination suit violated the discovery order by “scrubbing” metadata from a table of employees produced to the plaintiff.  The court held that documents maintained in the regular course of business should be produced in the same format, and that the scrubbed metadata was relevant to the case.[2]

Certainly, many lawyers are excited by the prospect of following a digital treasure hunt  to examine the motives and concealed actions of defendants, and other parties are terrified at the prospect of having their comment and mistakes revealed – if metadata is likely to lead to reliable and useful evidence, why prohibit it from being used?  Many are concerned about the ability of commercial software to fully “scrub” these documents, the cost of doing so, and the fact that the technology becomes more and more sophisticated.

Ultimately, there are no hard-and-fast rules to follow when it comes to producing, using, or cleaning files of metadata.  What is right in one state is, literally, wrong in another. (See the ABA’s chart for a helpful overview of the ethics standards by jurisdiction.)  It will be interesting to observe over the next decade what internal changes and  innovations companies will make in order to avoid the metadata minefield altogether .

 

[1] 230 F.R.D. 640, (D. Kansas 2005)

[2] For a comprehensive overview of decisions related to metadata, see Marjorie A. Shields, Annotation, Discoverability of Metadata, 29 A.L.R.6th 167 (2007).

Blog: My Executor Has Never Used the Internet: Estate Planning and Digital Property

By

On November 26, 2012

In Blog Posts

By Associate Editor Kevin McCann

In 2007, a devoted World of Warcraft player decided it was time to put down his virtual crossbow and axe and sell his player account. Given the amount of time put into leveling up the abilities and gear of the character, the account was in high demand and sold for 7,000 Euros (approximately $9,000). What if before the player decided to sell this he experienced an unfortunate real life death? Most likely there would be no provision in his last will and testament stating what to do with this asset, and the account would have been deleted and the potential money lost.

While this is an extreme example of protecting a digital asset, estate planners and lawyers indicate that few people give the new reality of digital assets and online accounts consideration when drafting their wills. There is a range of issues to contemplate involving electronically stored items, such as preserving online photos, projects and personal records to how you would want your family to manage your social media accounts. A survey by McAfee revealed that U.S. consumers value their digital assets, on average, at nearly $55,000, with approximately $19,000 attributed to personal memories (photographs and videos) alone. A living person would certainly want to determine the distribution of these electronically stored personal memories just as if they were photos in an attic.

In addition, social media websites such as Facebook and Twitter now have deceased user policies. Both policies allow interested parties to select one of two options: either delete the user account entirely or save the account in order to memorialize the deceased and allow others to interact with his or her preserved account. (For an interesting look at the differences between the two policies, see http://news.cnet.com/8301-27076_3-20013219-248.html). One could see a situation where a person would want his account deleted to save his family embarrassment, or the opposite situation where a person would want his family to continue to interact with his account through the grieving process after his death. This would be another consideration to contemplate when drafting a will.

Several states have enacted legislation that pertains to post-death access of digital accounts. For instance, a New Jersey bill was introduced in June of this year that would grant the executor or administrator of an estate the power to take control of any account of the deceased person for social networking, blogging, or e-mail service websites. However, many of the states’ legislation specify that the deceased must have designated the representative in writing prior to the death. The U.S. General Services Administration recommends people set up a “social-media will,” and even go as far as naming a separate “digital executor” who is more up to speed on technology innovations and is more qualified to oversee the administration of the deceased’s digital assets. In addition, estate planners advise that the probate process would take considerable less time if the devisee were to include in his will a list of all accounts, passwords, and security question answers. Otherwise the executor would have to go through the process of submitting death certificates and relationship authentication to each of the websites.

The internet has changed the way society communicates and expresses itself, and various legal issues arose with this modernization. The protection of online assets at death is now a growing concern, with states just beginning to recognize the need for legislation. As the internet continues to reinvent itself with new services to better connect the world, so to must the estate planning process strive to keep up with these innovations.

 

Additional Resources:

Wall Street Journal Article on issue

Chicago tribune article on the issue

List of online services that are designed to help someone plan for probate process of digital assets.

Page 78 of 78

Previous

Powered by WordPress & Theme by Anders Norén