Upcoming CincyIP Program: Current Trends in Computer Security

CincyIP August Luncheon

“Current Trends in Computer Security”

The world has experienced quite a spectrum of computer security attacks in the last couple years and they have changed in interesting ways. While 99.9% of investigations deal with IP theft on some international basis, the issues very rarely make it to a courtroom. Understanding the technical approaches to rapid response, remediation and working with the business on damage assessments are key to helping clients deal with these issues since many of these incidents never see the inside of a courtroom.

A panel of experts, including Nick Hoffman, an incident responder at GE, Craig Hoffman, partner at Baker Hostetler, and Jon Garon, Director of NKU Chase Law + Informatics Institute, will discuss recent computer security attacks, how they have recently evolved, and how the immediate and long term responses to these attacks have developed to address the ever-changing threats. The panel will also address how attorneys can assist clients to prevent against an attack, and what to do when they are the victim of an attack.

When
Tuesday August 13, 2013 from 12:00 PM to 1:30 PM EDT
Add to Calendar

Where: McCormick & Schmick’s Private Dining Room

Get more information

Register Now!

Advertisements

The Proportionality Principle

By Michael Goodwin[2]

A feature of JD Rising[1]

As most civil litigators in Minnesota are aware, a number of significant rule amendments went into effect on July 1, including new rules designed to change aspects of discovery, non-dispositive motion practice and complex case management.

Many of the rule changes were based on recommendations by the Minnesota Supreme Court Civil Justice Reform Task Force, which published a report in December 2011. The task force considered its most important recommendation to be the new rule requiring proportionality in all aspects of case management (especially discovery). In fact, proportionality was considered so important that it was included in Rule 1 of the Minnesota Rules of Civil Procedure, which now reads in part:

“It is the responsibility of the court and the parties to examine each civil action to assure that the process and the costs are proportionate to the amount in controversy and the complexity and importance of the issues. The factors to be considered by the court in making a proportionality assessment include, without limitation: needs of the case, amount in controversy, parties’ resources, and complexity and importance of the issues at stake in the litigation.”

The proportionality requirement of new Rule 1 applies to “virtually any issue that affects the managerial decisions judges and parties make in handling the case.”

The task force was particularly concerned about the costs and burdens associated with discovery, and a number of amendments were made to the discovery rules to advance the proportionality principle. New Rule 26.02(b) requires that a party seeking an order compelling discovery make a showing proportionality. Rules designed to impose limits on discovery were already part of Rule 26.02(b), which mirrored the federal rule.  According to the Civil Justice Reform Task Force, these considerations had not been effective in reigning in discovery:

“In practice, [Rule 26.02(b)] discovery limits have rarely been enforced, however; and the expansion of discovery and the increasing expense of discovery literally threaten the civil justice system.”

By making the proportionality concept more explicit in the rules, the task force intended to “create a presumption in favor of narrower discovery and require consideration of proportionality in all discovery matters, limiting discovery to the reasonable needs of the case.” Proposed changes to the federal rules also include a proportionality limitation on the scope of discovery.

While the express proportionality requirement is new and applies only in Minnesota state court, a few recent cases from the federal courts demonstrate how to make detailed and persuasive proportionality arguments, especially as related to electronically stored information. In one recent case from the Northern District of Illinois, a party largely succeeded in limiting certain discovery by demonstrating the difficulty and expense of accessing the requested information, as well as the likelihood that the discovery requests duplicated discovery that had already been produced.  The defense specifically articulated how the requested data was stored and had specific dollar estimates as to the costs of recovery and production. A Colorado district court, on the other hand, rejected several “unduly burdensome” objections because the objections lacked factual support; the defendants failed to provide “any specific information indicating how the [the defendants] store electronic information, the number of back-up or archival systems that would have to be searched in the course of responding to [plaintiff’s requests], or Defendants’ capability to retrieve information stored in those back-up or archival systems.” As these cases demonstrate, building a record for a proportionality argument often requires detailed testimony from individuals with knowledge of how the requested information is stored and how it could be accessed. Of course, under Rule 1, this information will have to be viewed in the context of the amount in controversy, the parties’ resources and the complexity of the issues, among other factors.


[1] The Proportionality Principle originally appeared In Minnesota Lawyer, July 25, 2013, http://minnlawyer.com/jdr/2013/07/25/the-proportionality-principle/. Reprinted with permission.

[2] Guest blog author Michael Goodwin is an associate attorney at Jardine, Logan & O’Brien in the Twin Cities. Michael’s practice involves a range of insurance defense and coverage issues. Michael currently serves as the Outreach Committee Chairperson for the Minnesota State Bar Association New Lawyers Section. He earned first place in the 2010 Levit Essay Contest, a national writing contest sponsored by the ABA Standing Committee on Lawyers’ Professional Liability and Long & Levit, LLP. Michael graduated from Hamline University School of Law in 2009. During law school he was a board member of the Hamline Law Review and he completed a judicial externship in United States District Court. A native of Sioux City, Iowa, Michael was a newspaper reporter prior to enrolling in law school.

COPPA updates go into effect today, if anyone is watching

The FTC revised the Children’s Online Privacy Protection Rule (COPPA) in December 2012 to take into account the rapidly expanding move to mobile applications, social media and the evolving nature of personally identifiable information. Those rules go into effect July 1, 2013.

COPPA is supposed to inform parents of data being collected about their children and provide opportunities for the parents to consent or opt out of the service.[1] Unfortunately, in application, COPPA has been applied as an either/or test – a site either caters to children and therefore complies with COPPA or prohibits use of services by children and therefore takes no steps to comply with parental notification and consent rules.

Many operators provide non-children services but do nothing to discourage use by children under 13, a practice which has obviated the impact of COPPA. Social media sites, in particular, tend to avoid compliance with COPPA and instead post disclaimers requiring that the users are over 13. But these sites have no verification procedures as to identity or age.

The FTC hopes to change this with the new rules. The amendments to COPPA are intended to minimize this gamesmanship by reducing the ability for a company to ignore actual usage by under-age customers and hide behind age disclaimers. Only time will tell whether the new rules will have that effect.

A second aspect of the new rule will likely have more impact. Self-regulatory associations can submit their certification program to the FTC for pre-approval. Provided members remain within compliance of the certified program, the approval serves as a safe-harbor, protecting members of the association from FTC enforcement actions. Examples of those applications include the following:

The self-regulatory associations, particularly the ESRB, take member enforcement very seriously. The multi-billion dollar gaming industry has become the model for differentiating products based on market segment. It has a strong incentive to segregate its under-13 products from the other products. Of course, it remains to be seen whether this will result in fewer 10-year-olds sneaking onto 15+ (or 18+) platforms, but the video game industry has been more effective than most in reducing the casual avoidance of the age restrictions.

The biggest change under COPPA revisions is the type of information now covered as personally identifiable information. Mobile and social media have transformed the tools available to individually track a customer. Persistent identifiers such as unique IDs, computer or chip serial numbers, unique device identifiers, IP addresses, and geo-location tags all work individually or together to create unique identification. None of those tools include a name or address, yet serve to provide comprehensive, persistent information regarding the identity of each individual. COPPA therefore expands the definition of personally identifiable information to reduce personalized targeting of advertising at children.

As an example of how personally identifiable information has evolved, this paragraph describes the ESRB’s updated guidance on personally identifiable information:

Personally Identifiable Information means any information that can be used to identify an individual or which enables direct contact with an individual. This would include an individual’s name, online contact information (i.e. email addresses or other identifier that permits direct online contact with a person via instant messaging, video, voice over internet protocol or any other means not specifically defined herein), phone number, fax number, home address, social security number, driver’s license number, credit card number, photos, videos, or audio containing the image or voice of a child, persistent identifiers (such as a customer number held in a cookie or a processor serial number, a unique device identifier, or IP address), or geo-location information sufficient to identify a street name and name of town. Demographic information that is combined with personal information (including, but not limited to, gender, educational background, or political affiliation) also becomes Personally Identifiable information. Personally Identifiable Information does not include information that is encoded or rendered anonymous, or publicly available information that has not been combined with non-public Personally Identifiable Information (and has not been previously defined as Personally Identifiable Information.)

The expanded COPPA will take months to truly affect the marketplace. Even then, it will only be effective if companies take the obligations not to track seriously and treat their customers with respect – something missing from the past 15 years of COPPA compliance.

Some and perhaps a majority of people prefer to be served ads that are relevant and interesting, so they don’t mind the outcome of behavioral advertising even if they are squeamish regarding the methods used to select the ads. But Congress assumes that children have fewer defenses to advertising and these techniques can be manipulative and harmful. Targeting individual minors under 13 is therefore prohibited without the parents consent. Hopefully, the COPPA revisions will make this difference begin to matter.

For more information, see the additional guidance provided by the FTC:

The FTC has also released two new pieces designed to help small businesses that operate child-directed websites, mobile applications and plug-ins ensure they are compliant with upcoming changes to the rule.

The first is a document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, which is designed especially for small businesses and contains a step-by-step process for companies to determine if they are covered by COPPA, and what steps they are required to take to protect children’s privacy. The FTC also released a video aimed at businesses to help explain their obligations under the revised rule, including an explanation of the changes.

Finally, the FTC has updated a guide for parents, “Protecting Your Child’s Privacy Online,” that explains what COPPA is, how it works and what parents can do to help protect their children’s privacy online.

These new documents provide guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC, including an updated set of frequently asked questions about the rule. FTC staff will periodically update the FAQs.

In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. Comments on the FAQs or suggestions for new FAQs may also be submitted through the COPPA Hotline email address.


[1] The COPPA rule requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children.