Search
Navigation
Andrew Clearwater

Blog Post Navigation
Twitter
Thursday
May172012

Proposed Data Security Rules for Lawyers

AuthorAndrew Clearwater Posted on DateThursday, May 17, 2012

The ABA Commission on Ethics 20/20 is proposing changes to the current ABA Model Rules of Professional Conduct. Among these proposed changes is the addition of a new paragraph to Model Rule 1.6 Confidentiality of Information. (See also Rule 1.6 Comments)

Under the existing rule it is clear that lawyers are under an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent or unauthorized disclosures. The proposed new Model Rule 1.6(c) and related proposed comments to the rule seek to enhance the importance of this duty and highlight the reasonable efforts that a lawyer should take to avoid violation of the rule.  The shift here is from a duty not to reveal to a more comprehensive obligation that focuses more on the prevention of revelation.

The proposed changes are not technology specific. The Commission concluded that "technology is changing too rapidly to offer such guidance and that the particular measures lawyers should use will necessarily change as technology evolves and as new risks emerge and new security procedures become available." In place of technological guidance, the commission provides several factors for determining whether a lawyer’s data security efforts are reasonable.

The factors:

  • The sensitivity of the information
  • The likelihood of disclosure if additional safeguards are not employed
  • The cost and difficulty of implementing additional safeguards
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

Overall, these proposed changes fit with the growth in federal, state, and international laws and regulations relating to data privacy. It is important to remember that lawyers may also need to look to that body of law to determine an appropriate level of data security for their client’s confidential information.

For more information review the ABA Commission on Ethics 20/20 Report (PDF) 

CommentPost a Comment
Tuesday
May152012

Facebook Plans Changes to Data Retention

AuthorAndrew Clearwater Posted on DateTuesday, May 15, 2012

Facebook is getting ready to release a new data use policy (their more accurate term for a privacy policy). The change is announced in a Facebook blog post titled "Enhancing Transparency In Our Data Use Policy."  As usual, Facebook is using its site governance process to allow review of the proposed updates. 

The most interesting change, from my perspective, is the change in data retention for data received from advertisers. Previously the policy stated that "when we receive data about you from our advertising partners or customers, we keep the data for 180 days. After that, we combine the data with other people's data in a way that it is no longer associated with you." This was a short retention span before anonymization. The current proposed data use policy states:

We store data for as long as it is necessary to provide products and services to you and others, including those described above. Typically, information associated with your account will be kept until your account is deleted. For certain categories of data, we may also tell you about specific data retention practices.

The necessary retention period may still fall within 180 days but it leaves Facebook far more flexibility in how it handles data from advertising partners. This information, paired with the new language that makes it clear that Facebook may use data to display ads outside of Facebook, may signal what the company plans to do with their IPO money.

Additional Information:

  • The current Facebook Data Use Policy is available here
  • A tracked changes version of the policy is available here (pdf) 

 

CommentPost a Comment
Tuesday
May012012

CISPA Privacy Concerns

AuthorAndrew Clearwater Posted on DateTuesday, May 1, 2012

The goal of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) is cybersecurity legislation that enhances cybersecurity.  The means of reaching this goal is to allow businesses and government to share cybersecurity information with each other.  The threat, if this is improperly written and implemented, is that government surveillance without sufficient process will be enabled.  

Disagreement Over Civil Liberties Impact

There seems to be very little agreement on the impact of CISPA.  Mike Rogers, House Intelligence Committee Chairman, said "There is no government surveillance, none, not any in this bill."  On the other hand, Congressman Hank Johnson said, "I know it is 2012 but it sure feels like 1984 in the House today."  Civil liberties constituencies were invited to engage with the House Committee on Intelligence and the result was a series of proposed amendments 22 of 43 of which were rejected by the Committee.  The rejection of these amendments has caused civil liberties groups to oppose CISPA in its current form as it moves to the Senate.  

Defining What Information Can Be Collected

The scope of the information addressed by this bill is clearly an important issue.  When private companies share data with the National Security Agency we don't want it to be for purposes not related to cybersecurity.  The early definition of cyber threat information broadly included information pertaining to the protection of a system or network.  The current definition adds additional details to the cyber threat information definition and most importantly makes it clear that information pertaining to Terms of Service violations do not qualify as cyber threat information.  

Early Text (H.R. 3523: Cyber Intelligence Sharing and Protection Act)

The term cyber threat information means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from
(A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.  

Current Text (H.R. 3523: Cyber Intelligence Sharing and Protection Act)

(A) IN GENERAL- The term cyber threat information means information directly pertaining to--
(i) a vulnerability of a system or network of a government or private entity;
(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;
(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or
(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.

Defining What Information Can Be Collected

Unfortunately, while the information that can be collected under CIPA was narrowed with an amendment, the use of the information that has been collected was extended by an amendment.  The information obtained without a warrant under CISPA can be used to investigate and prosecute under existing computer crime laws like CFAA.  
(c) Federal Government Use of Information-
(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--
(A) for cybersecurity purposes;
(B) for the investigation and prosecution of cybersecurity crimes;
(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;
(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or
(E) to protect the national security of the United States.  

Concluding Thoughts

There will be much more to follow as CISPA enters the Senate.  A blogger who is doing a great job covering CISPA is Anjali Dalal who is guest blogging on Yale Law School Professor Jack M. Balkin's "Balkinization" blog.  If you are interested in the topic you should definitely check out her posts.  
My biggest concern as I begin to read through the proposed The Cyber Intelligence Sharing and Protection Act is that the "cyber" context of these security threats will somehow overshadow our existing protections of civil liberty.  We have spent many years striking a fine balance between liberty and security and just because computers are involved we should not see this as a chance to throw out that important precedent.  As I read the current version of bill, I'm afraid that the balance has shifted too far towards security at the cost of civil liberty.  

 

CommentPost a Comment
Page 1 2 3 4 5 ... 7 Next 3 Entries ยป