back to top ↑

Mark your calendar now for the Cyberspace Law Institute and Winter Working Meeting, January 20-21, 2012 at the Hotel Kabuki, San Francisco, CA. Don't miss this great opportunity to exchange views, explore new issues, and work with fellow members on various committee projects. Programming includes a half-day of CLE, lunch and dinner speakers, and much more.

Hotel Kabuki is currently accepting reservations at a room rate of $139.00 + tax. This rate includes complimentary internet access in your hotel room. To book accommodations, please call the hotel directly at 415.922.3200 or 800.553.4567 and refer to the"ABA Cyberspace Law Institute" or go online to the hotel website. The deadline for hotel reservations

Discounted airfares are available from ABA Orbitz for Business. To book online, follow these steps:

1. Visit Orbitz for Business.
2. Click under the Orbitz for Business logo at the top of the page,
3. Click on the appropriate link in the Travel Paid by Self box.

For assistance with online or offline reservations, call toll free 1-877-222-4185.

NOTE: Please make travel arrangements for an arrival on Thursday, January 19. The meeting will officially begin first thing on Friday morning.

We hope to see you in San Francisco!

November 1: Using Social Media in Discovery: Avoiding Ethical Landmines. For more information and to register, click here.

November 2: Green IP: An Overview of Opportunities and Risks. For more information and to register, click here.

November 16 : John Gregory, co-chair of the International Trade Subcommittee, is giving a one-hour teleconference tutorial on electronic transferable records for the Information Technology Lawyers of Canada (IT.Can).

November 16: The Bully at School Goes High Tech: Protecting Students in the Internet Age. For more information and to register, click here.

November 17: The America Invents Act: Key Facts You Need To Know Now About Provisions that Are Already Law. Sponsored by the ABA Section of Intellectual Property Law. Registration details are available here.

November 29: New Restrictions on U.S. Internet Sales: Data Passes, Negative Options, Automatic Renewals and Recurring Charges. For more information and to register, click here.

March 1-2, 2012: 2-Day Symposium on Law & Informatics, hosted by Northern Kentucky Law Review and Salmon P. Chase College of Law, Highland Heights, KY. March 1: day-long CLE program regarding practical solutions to current problems facing attorneys and clients. March 2: Law Review Symposium, an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues in informatics law, disruptive innovation, and the increasingly interconnected information environment. Committee member Jon Garon is the Symposium Faculty Sponsor; other committee members are among those presenting. For more details, visit the syposium website.

back to top ↑

A broad variety of entities are applying to create new generic Top-Level Domains (gTLDs). Several websites provide lists of the applicants:

http://registries.tel/
http://www.newgtldsite.com/new-gtld-list/
http://www.newdomains.org
http://valideus.com/resources/gtlds-list/

In December 2010, a Federal Trade Commission staff report proposed a "do not track" mechanism for consumers, enabling them to prevent the collection of information about their online activities. This information is used to support online behavioral advertising-that is, advertising tailored to a particular individual based on what the advertiser thinks it knows about her interests and preferences. Much controversy has resulted. FTC Commissioner Thomas Rosch reviewed many of the issues in a speech at a Chicago gathering of antitrust lawyers on October 14, 2011. Rosch expressed skepticism about the self-regulatory approaches to do-not-track that various players in the online advertising industry have rolled out, finding them inadequate in several respects. He examined the mechanisms in three web browsers (Firefox, Chrome, and Internet Explorer) and one devised by an industry group called the Digital Advertising Alliance. Rosch also reviewed proposed legislation to mandate do-not-track that is currently pending in Congress. The speech is here.

The Mobile Marketing Association has issued a proposed model Mobile Application Privacy Policy Framework for mobile applications developers. The framework is intended to give mobile applications developers clear language for disclosing to users what data is collected and used by mobile applications. The framework proposes language that answers the following questions:

• Do third parties see and/or have access to information obtained by the application?
• Does the application collect precise real time location information for the device?
• What is the data retention policy for the information?
• What information is collected about children?
• What level of security is provided for the data collected?
• What are the opt-out options?

The association is taking public comments on the policy until November 18, 2011, after which time it will issue a final model policy. The framework is available here.

The Mobile Marketing Association is a trade association for mobile marketing and associated technologies.

In our digital social-media age, brands can rise and grow rapidly but they can fail even faster. Last month, the hugely popular and successful DVD and online video service Netflix announced a new brand name - Qwikster - for its DVD service. The move was curious and questioned by many. Until this year, the Netflix brand was charming and could do no wrong. This bungle is sure to have scuffed the brand's image. Netflix has since realized the error of its ways and recently announced that Qwikster is no longer. Perhaps the Qwikster brand name will still be used by Netflix is some manner, but at least as a separate service that would require separate accounts and logins for users, Qwikster is gone. Has Netflix righted the ship soon enough to avoid real damage? Only time will tell.

Recent times have seen a rash of brand mismanagement. Twitter is entangled in several disputes due to its delay in protecting all its trademarks after it launched a few years ago. Google, one of the most valuable companies in the world, has failed to protect all of its brand names and logo. The University of Colorado recently spent more than $700,000 on a minor logo change. The good news is that our clients can learn from the mistakes of others and avoid making the same blunders.

On October 12, 2011, the Financial Times carried a story on the threat of cyber attack to the U.S. electrical power grid. The graphic in the story describes a form of attack that would resemble in several features the Stuxnet attack on the Iranian uranium enrichment facilities at Natanz where the targets were the spinning centrifuges - and in the FT's story the target would be the electrical power plant's spinning turbines.

Vince Polley continues to publish MIRLN (Miscellaneous IT-Related Legal News) every three weeks. Subscriptions are free. It's also online at http://www.knowconnect.com/mirln and at the bottom of eBLT (under the heading "OTHER NEWSLETTERS BY SECTION MEMBERS"). Take advantage of this wonderful resource.

On October 24, the Office of the Comptroller of the Currency (OCC) updated its Electronic Funds Transfer-Regulation E booklet, which is part of the OCC Comptroller's Manual. It contains a concise description of the new regulations on gift cards promulgated under the authority of the CARD Act of 2009. See pages 15-17 of the booklet.

back to top ↑

The E-Commerce Working Group of the UN Commission on International Trade Law recently met in Vienna to discuss the possibility of an international legal regime for electronic transferable records. The Working Group had before it a useful Working Paper (WP.115) on the issues. Some thought the agenda was to create an international version of section 16 of the UETA on that topic. To resolve the issues of uniqueness, transfer, authentication and enforcement, the Working Group also considered the creation of one or more international registries. Whether the same legal regime would work for documents of title (bills of lading etc) and for financial documents (chattel paper) was the subject of some debate. Also much debated was whether there was any real commercial demand for such legal rules; a number of countries (though not the US) said no. The Working Group may meet again in February 2012 if the appropriate supporting documents can be prepared in time for translation and circulation before then.

The UN Working Group also briefly discussed a proposal from a technical working group of the United Nations Center for Trade Facilitation (CEFACT) on 'digital evidence certificates.' The Working Group asked to have a chance to analyze the document formally, as it appeared to have a number of defects in its statement of legal impact of the proposed technology. See here for John Gregory's discussion of the high-level issues in this matter, as well as some of the specific flaws in the CEFACT document.

Tom Smedinghoff completed and is circulating for comment an 85-page draft report of the Identity Management Legal Task Force: Building the Legal Framework for Online Identity Management. Tom welcomes readers and comments on the draft; if you are interested, please contact Tom.

In May 2011, five Senators asked the SEC to issue guidance and require disclosure of cyber attacks that cause loss of a company's intellectual property. In response, the SEC Division of Corporate Governance issued on October 17, 2011, CF Disclosure Guidance: Topic No. 2 - Cybersecurity. The Guidance is not a rule, regulation, or statement of the SEC, but it does express the views of the Division, which is responsible for interpreting existing rules and proposing new rules. The Guidance is intended to assist registrants in assessing what, if any, disclosures should be provided regarding cybersecurity matters.

The Division notes that "no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents," but "a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents." Moreover, material information concerning such risks and incidents "is required to be disclosed when necessary in order to make other required disclosures ... not misleading."

As such, the Guidance is a significant interpretive release by the Division, and it would not be prudent for companies to ignore it or treat it as not applicable to them because they have not, to their knowledge, experienced a cyber attack. As an official at McAfee recently observed, there are only two kinds of companies - those that know that they have been compromised by cyberattacks and those that don't.

One of the most significant features of the Division's Guidance is that unlike other government initiatives that have tried with little success to legislate cybersecurity measures or standards, the Guidance requires public companies to disclose the extent to which such companies have demonstrable deficiencies in cybersecurity. For the investing public, such information is clearly material. However, the Guidance appears to have allowed its efforts at prompting such disclosures to overstep the measure, because some of the disclosures it advises companies to make would undermine a company's cybersecurity by providing precisely the sensitive cyber defense information that an adversary seeks in order to plan and execute a cyberattack on the enterprise. For example, the Guidance recommends that, depending on the registrant's particular facts and circumstances (and to the extent material), appropriate disclosures may include:

• Risks related to cyber incidents that may remain undetected for an extended period. (Surely a company should be loath to disclose such information because an adversary would take advantage of it.)
• Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences. (Here the need to report such incidents is compelling, but the Guidance should make clear that registrants may comply with such guidance without disclosing details of what vulnerability the attack exploited.)

Overall, the Division's Guidance would appear likely to have a greater influence on companies and their investment in cybersecurity than any of the stovepipe regulations that have preceded it.

Most importantly, the Guidance reflects the emerging trend of a convergence between legal issues of cybersecurity and legal issues concerning securities and the investing public. Clients and counsel will need to adjust to this convergence in order to fulfill obligations set forth in the Division's Guidance.

back to top ↑

Erik Pelton recently gave a presentation to the Society for the Advancement of Consulting. Social media and internet advertising have created an explosion of content, brands, and intellectual property, yet businesses often fail to properly use and/or protect all of their trademarks and copyrights. Some simple steps can enhance both the legal protection and practical value of this intellectual property: use proper copyright and trademark notices, use trademarks in a manner that sets them apart from other text, register core intellectual property assets, and set up free Google Alerts to monitor for misuse by others.

Longtime committee contributor and leader Professor Juliet Moringiello has been busy providing media commentary on Harrisburg, Pennsylvania's bankruptcy filing. She also testified before the Pennsylvania legislature on October 20 about using Chapter 9 bankruptcy to resolve municipal financial distress. It is remarkable that a city of this size and import (a state capital, no less) has filed for bankruptcy protection (Orange County, CA redux?) but one wonders about the cyberspace impacts - does anyone, a judge or a trustee perhaps, take over the city's web sites and online communications systems? The answer is "no": a city remains in complete control of its property in bankruptcy - because of Tenth Amendment concerns, no trustee is appointed in a Chapter 9 bankruptcy and the judge's power over a city is limited.

Sarah Jane Hughes, committee publications director, and Roland Trope, co-chair of the Cybersecurity Subcommittee, are about to publish a long article in William Mitchell Law Review on lawyers' professional responsibility and social media, principally using cloud computing. The article covers the New York Rules of Professional Conduct, the model rules, the ABA Ethics 20/20 proposal, and NIST's 2011 guidance. The article is entitled Red Skies in the Morning: Ethical Considerations at the Dawn of Cloud Computing. Sarah Jane and Roland thank Chris Kunz for suggesting their names to the editors.

Hank Judy, co-chair of the Internet Governance Task Force, gave a lecture on October 17, 2011, to the Cybersecurity Graduate Program at the University of Maryland Baltimore Campus on the subject of International Cybersecurity Legal Frameworks and Internet Governance. He reports that the work of the Computer Law Committee was liberally mentioned, and he thanks Roland Trope for generously sharing slides on a related subject.

Jon Garon, co-chair of the Digital Media Subcommittee, recently presented Mortgaging the Meme: Lessons for Financing Disruptive Innovation, which is available for free download. The presentation was previewed at the University of Dayton Law School on Sept. 21, 2011 and presented at the International Business Law Conference in London, Sept. 24, 2011.

What is disruptive innovation, you ask? Disruptive innovation can be described as the introduction of a new conceptual idea or meme into an existing system that causes the system to be fundamentally altered. Assembly lines, air conditioning, digital film, and personal computers represent such innovations, all of which led to fundamental paradigm shifts. The convergence of globalization, a networked economy, and digital technologies have made disruptive innovation a threat in almost every industry. Changes to publishing, music, and television distribution - along with the rise of social media - highlight this transformation, but they are not alone; manufacturing, retail, payment systems, transportation and other industries are

Disruptive innovation, however, follows predictable patterns. Investors can anticipate these shifts if their financial transactions are properly structured and effectively documented. The model requires a holistic intellectual property approach which looks beyond just patents. It must explicitly incorporate the underlying meme, and it must account for the inflection points in the transformation pattern. Utilizing this model, inventors, private equity investment structures and established firms can maximize value and promote innovation. This article provides an overview of disruptive innovation from examples of the past decade, identifies the underlying patterns of change common to disruptive innovation, and highlights strategies to mitigate disruption for existing industries, while addressing the intellectual property securitization aspects to structure effective deals for both the investors and innovators.

Committee member Lisa Lifshitz recently co-authored an article discussing the Canadian government's proposed updates to PIPEDA, the Canadian federal private sector privacy act. Now pending in Canada's Parliament, the bill redefines "personal information" to remove the provision that business contact information is not personal information. It clarifies the meaning of the "valid consent" required to collect, use, or disclose personal information. The bill allows exceptions for the use of personal information in a business transaction and in conjunction with an employment relationship. The bill also introduces a mandatory breach notification procedure. You can access the full article.

Roland Trope, co-chair of the Cybersecurity Subcommittee, gave a one-hour presentation at the Edison Electrical Institute (EEI) Fall 2011 Legal Conference in San Francisco on October 17, 2011. EEI members are the major electrical and nuclear power utility companies, and participants in the conference were the general counsel of these enterprises. The topic was A Porous Enterprise: Cyber Security Risks to Electrical Utilities from Web 2.0 and Cloud Computing. Because the SEC's Guidance came out that afternoon, Roland also presented a brief look at the significance and challenges of the Guidance for conference participants.

Want to be in this newsletter? Have you written or presented on something your fellow committee members would be interested in? Let us (and them) know! Email your contribution to committee Communications Directors, Cheryl Balough (cbalough@balough.com) and Lois Mermelstein (lois@loismermelstein.com).

back to top ↑