Bullish on Anti-Bullying Apps

leave a comment

A 2013 Youth Risk Behavior Surveillance Survey found that 15% of American high school students reported being electronically bullied. The increasing prevalence of this behavior—and the potentially tragic outcomes—have made “cyberbullying” a buzzword in recent years, and has sparked legislation and policy changes in many states. The difficulty in enforcement stems from the inability of school administrators to reach beyond the school ground and monitor what is happening in students’ homes on their personal computers. This has led to increased liability for school systems, and several large lawsuits by students against school districts.

Some cyberbullying laws, while well-intentioned, have been ruled unconstitutional because they infringe on student speech. The laws have also faced issues because they frequently only apply to students in the purview of public school boards—exempting private school students and parents like Lori Drew, who created a fictitious MySpace account for a 16-year-old boy and sent her 13-year-old neighbor Megan Meier increasingly negative messages on the online forum. About a month and a half after friending “Josh” on MySpace, Megan hanged herself.

Instead of waiting for clear and effective legislation, some school districts are turning to the free market for a solution. Stop!t is a mobile app that allows students to screen shot or photograph interactions with cyberbullies and send the pictures anonymously to administrators.

The same anonymity that lets some cyberbullies thrive could be the key to increased reporting and cyberbullying prevention. One principal at a school that implemented Stop!t said that within the first year of adopting the app, the school has received 75 percent fewer bullying reports.

However, there is still room for the law to step in, and there are likely to be continued constitutional challenges to criminal statutes against cyberbullying. So while Stop!t users may help raise administrators’ awareness of cyberbullying, the schools may still need statutory support for to enforce any punishments.

An app like Stop!t could also lead to students falsifying reports of bullying, or “hacking” their peers’ accounts to make it look like another student was bullying them, just to get them in trouble. The same defamation charges that give victims of cyberbullying tort remedy could be brought against students who claim that other students are cyberbullies. Criminal wire fraud charges could even be brought against students who falsely report cyberbullying.

There is also potential going forward that similar programs could be implemented in the workplace. Anonymous, electronic submissions like these could add support to Title VII cases and sexual harassment cases, and having a reporting program like this in place could also factor into court decisions where school administrators claim they were unaware of such acts happening in their school.

Written by

March 22nd, 2015 at 11:56 pm

Posted in Commentary

Tagged with

How the SEC Really Feels About High Frequency Trading

leave a comment

For fans of Michael Lewis’s Flash Boys, the SEC would like you to know that things are going splendidly on the high frequency crackdown front. In January 2015 alone, the agency brought three high frequency trading (HFT) suits against different sharks in the securities market.

One such shark is high frequency trader Aleksandr Milrud. Milrud layered trades for approximately two years starting in January 2013. Around the globe, Milrud’s recruits used HFT to fraudulently inflate and deflate stock prices to profit upon buying and selling at the altered price. To clear up any lingering confusion on the part of the SEC’s confidential broker informant, Milrud actually referred to the artificial price pressure as “the dirty work.” Milrud further explained that he usually wired his illicit profits to an offshore bank account and later met with an individual who would give him a suitcase full of cash.

The SEC’s complaint confirms that the agency believes “Milrud’s layering scheme was very lucrative. In the course of soliciting the [confidential informant’s] participation in his scheme, Milrud stated that one of his trading groups generated profits of approximately one million dollars per month.” Indeed, the complaint later outlines two examples of Milrud’s profiteering activities: Exhibit 1 involved an order that resulted in a $72.28 profit for the trader. Exhibit 2 clocked in a bit more conservatively at $60.74 worth of illegal profits. Milrud even “directed a wire transfer of $5,000 to a bank account located in New Jersey. The purpose of the transfer was to fund a trading account . . . so that Milrud’s traders could use the account to engage in layering.”

SEC v. Milrud is a relatively humorous anecdote which demonstrates the SEC’s larger high frequency trading (HFT) enforcement strategy: speak loudly and carry a small stick. Consider Milrud himself. He did not build an empire out of his indiscretions. He was brazen, oaf-like, and making a mere $60 to $80 off of any single trade. He played out of bank accounts numbering in the four digits, not with millions or billions dollars-worth of capital. Most importantly, his fraudulent activity was illegal whether he committed it through HFT or inflated stock prices one phantom bid at a time. Milrud’s criminal profits amounted to mere particles of a drop in the bucket of securities trading. But the SEC brought charges anyway and released a press release on their big capture to boot.

It seems obvious that the SEC does want to regulate HFT—but no more than it wants to regulate the securities industry overall. Vowing to determine how HFT truly hurts or helps investors, SEC Commissioner Mary Jo White asked her staff to analyze the potential effects of implementing an anti-disruptive trading rule, of increasing usage of algorithmic trading, and of unequal data feed access by market participants—among a list of additional HFT-related rules and activity. But these requests—stripped of their HFT verbiage—simply look like the analytical gaze to be expected of an industry regulator. The SEC wants to stay vigilant of potential problems, but the SEC does not seem to want to regulate HFT through new or improved means. The SEC wants to apply existing regulatory sanctions to market abuse, regardless of the means through which such abuse is effected.

The SEC is decidedly in favor of what HFT brings to the financial markets. Commissioner White said as much during her speech on June 5, 2014:

“Equity markets are, of course, now dominated by computer algorithms, which generate orders at a volume and speed that have transformed the nature of trading. Importantly, these algorithms are used not only by high-frequency traders, but also by or on behalf of investors. . . . [M]arket quality metrics show that the current market structure is not fundamentally broken, let alone rigged. To the contrary, the equity markets are strong and generally continue to serve well the interests of both retail and institutional investors.”

The SEC will undoubtedly continue to bring actions against HFT firms and players. But look carefully at these complaints and settlements. Consider whether the SEC is cracking down on HFT practices, or if the SEC is going after more traditional market abuse and is simply happy enough to let you think that HFT is in its crosshairs. So longs as it keeps Michael Lewis off Commissioner White’s back.

Written by

March 16th, 2015 at 11:25 pm

Poorly Stated Policy: The Ongoing Saga of Samsung’s SmartTVs

leave a comment

On Monday, February 5th, Shane Harris at the Daily Beast reported on a questionable provision in the Samsung Privacy Policy–SmartTV Supplement:
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

This clause sparked its own share of outrage, and comparisons to George Orwell’s 1984, online:
“Samsung’s Smart TV privacy policy sounds like an Orwellian nightmare” – The Verge
“Careful what you say around your TV. It may be listening. And blabbing.” – The Daily Beast
“Left: Samsung SmartTV privacy policy… Right: 1984″ – Parker Higgins, EFF Activist on Twitter

Right - 1984

Rather than trying to sweep this bad publicity under the rug, or defending itself without making any changes, the technology company amended its policy for clarity and revealed more about how the system works. In the blog post discussing the issue, titled “Samsung Smart TVs Do Not Monitor Living Room Conversations“, the company explained that the voice recognition system would only be triggered on one of two events: the user pressing a button on their television remote, or the user stating one of the several predetermined commands. In the latter event, voice data is apparently not transmitted. They also identified who the third party would be, Nuance Communications, Inc. Finally, they guaranteed that it would be possible to turn off the voice recognition system entirely, if you desired.

While public reaction to this newest revision has been decidedly more muted than the original revelation, I think Samsung deserves some recognition for the behavior they have demonstrated. It isn’t often these days you see a corporation not only admit a mistake, but take steps immediately to rectify and clarify the situation. It is apparent given their reaction that: a) the company wants to give the appearance of transparency and concern for user privacy; b) a well-organized group online, with enough uproar behind them, can effect board room behavior; and c) sometimes the lawyers may just get in the way. It may be that Samsung never intended to have access to our private conversations and that this was poor translation to legal language of a benign company policy. It is a demonstration of the interaction of technology, the public, and intent in the face of clunky language which was meant to serve as adequate notice.

Some will still poke holes into the new explanation. Senator Al Franken has taken the opportunity to address Samsung and LG and attempt to bring the issue of consumer privacy to the forefront. Others have begun to draw comparisons to perhaps establish best practices, for example Amazon will let you delete any voice recordings they have made. This clarification is in my mind a model example of how companies should treat consumers in the Internet age, and serves a warning to those responsible for drafting these kinds of policies. However, this entire debacle is yet another reminder that we may not be entirely sure about what we’re agreeing to when we hastily click “Accept.” In the past, Apple’s Siri and many of Google’s services have been criticized for invasive procedures, lax security, or extensive data retention. This is in addition to the questions of ownership, privacy, security, and responsibility in social media Terms of Use. As more and more of our lives are stored permanently online, and more and more devices can collect and transmit data about us, perhaps it’s time to consider not only the secret ways our data is being collected, but also what we’ve “agreed” to.

Written by

March 11th, 2015 at 7:16 pm

Posted in Commentary

Obama Administration to Weigh in on Google v. Oracle Java Dispute

leave a comment

Last month, the Supreme Court invited input from the Department of Justice regarding the ongoing Java dispute between Google and Oracle, asking for advice on whether the Court should hear the case. According to the Court’s memo, U.S. Solicitor General Donald Verrilli, Jr. “is invited to file a brief in this case expressing the views of the United States.” Technology Analyst Al Hilwa calls this a “true 2015 nail-biter for the industry” because “[t]his is a judgment on what might constitute fair use in the context of software.”

The dispute between Google and Oracle began in 2010, when Oracle sued Google seeking $1 billion in damages on the claim that Google had used Oracle Java software to design the operating system for the Android smartphone. Google wrote its own version of Java when it implemented the Android OS, but in order to allow software developers to write their own programs for Android, Google relied on Java Application Programming Interfaces (“APIs”). These APIs are “specifications that allow programs to communicate with each other,” even though they may be written by different people. Oracle alleged that Google copied 37 packages of prewritten Java programs when it should have licensed them or written entirely new code. Google responded with the argument that such code is not copyrightable under §102(b) of the Copyright Act, which withholds copyright protection from “any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in [an original work of authorship].” Google also argued that the copied elements were “a key part of allowing interoperability between Java and Android.”

In May 2012, the Northern District of California ruled that APIs are not subject to copyright laws, finding that where there exists “only one way to declare a given method functionality, [so that] everyone using that function must write that specific line of code in the same way,” such coding language cannot be subject to copyright. The court also held that “whether an element is necessary for interoperability should have no impact on its protectability.” In May 2014, The U.S. Court of Appeals for the Federal Circuit ruled the other way, finding that Java’s API packages were copyrightable, and remanded the matter to the district court to determine whether Google’s copying constitutes a lawful fair use. In response to the Federal Circuit’s ruling, Google filed a petition this past October for a writ of certiorari. Also, numerous large technology companies including HP and Yahoo have filed amicus briefs in support of Google’s position. Google issued the following statement in response to the Supreme Court’s request for input from the Obama Administration: “We appreciate the Supreme Court’s careful review of this issue and look forward to the Solicitor General’s feedback.”

The Supreme Court will take no further action until the Solicitor General files its brief offering the views of the Obama administration on this copyright dispute. According to Peter Toren, an attorney with Weisbrod Matteis & Copley, “the Court may consider this important for definitive clarification as to what extent software is copyrightable.”

Written by

February 19th, 2015 at 11:41 pm

FCC Aims to Flex Muscle to Remove State Barriers to Municipal Internet

leave a comment

On June 10, 2014, FCC Chairman Tom Wheeler published an op-ed championing municipality-funded broadband. Noting Chattanooga, Tennessee’s past as a 19th century railroad boom town, he juxtaposed the city’s history with its recent decision to fund its own gigabit-per-second infrastructure: “Chattanooga’s investment has not only helped ensure that all its citizens have Internet access, it’s made this mid-size city in the Tennessee Valley a hub for the high-tech jobs people usually associate with Silicon Valley. Amazon has cited Chattanooga’s world-leading networks as a reason for locating a distribution center in the area, as has Volkswagen when it chose Chattanooga as its headquarters for North American manufacturing. Chattanooga is also emerging as an incubator for tech start-ups. Mayor Berke told me people have begun calling Chattanooga “Gig City” – a big change for a city famous for its choo-choos.”

Mr. Wheeler then delivered his punchline: “I believe it is in the best interests of consumers and competition that the FCC exercises its power to preempt state laws that ban or restrict competition from community broadband. Given the opportunity, we will do so.” Fast-forwarding to the present, Chairman Wheeler just announced on Monday that he is circulating a proposed Order to his fellow FCC commissioners encouraging FCC preemption of state laws that stymie municipality-sponsored broadband projects via its granted authority under Section 706 of the Communications Act. The announcement comes a few weeks after President Obama himself pushed for increased support of community internet, with the White House publishing a detailed policy report extolling its virtues.

Proponents applaud the move as facilitating the growth of high-speed internet in communities where major telecoms have spurned them, instead backing legislation in some twenty states that limit the practice. Many argue that these efforts come principally from telecom companies’ self-interest to bolster their monopolistic or duopolistic positions in the ISP market. However, opponents such as the conservative think-tank American Legislative Exchange Council, paint the laws as helpful in safeguarding free markets and limited government while stopping municipal projects from “making markets less attractive to competition because of the government’s expanded role as a service provider.”

What’s clear is that the FCC is poised to take a much more assertive role in Internet regulation, as this is not the only big move the commission has in store this week. The FCC has also recently announced a plan to reclassify high-speed internet as a telecommunications service under Title II of the Communications Act (see MTTLR’s Feb. 4 blog post for more), giving the commission strong authority to champion net-neutrality across ISPs. The move has already prompted a legislative response from Congressional Republicans that would curtail the FCC’s powers. With the U.S. having already fallen behind many other Western countries on both speed and price for its broadband internet, 2015 is shaping up to be a watershed year for the future of the country’s internet.

Written by

February 18th, 2015 at 1:41 pm

Net Neutrality: A Brief Overview Prior to FCC Vote on Feb. 26

leave a comment

Net neutrality is the concept that broadband network providers should be completely detached from the information that is sent over their networks. Some large internet providers want to get rid of net neutrality, which is the current state of affairs, and replace it with a prioritized internet that would create a series of “internet fast lanes” that would be available at a price premium over “internet slow lanes.” In very simple terms, this means that if one has the money, one will have a fast internet connection. If one does not have the money, one will have a relatively slow internet connection.

Removing net neutrality is rationalized by a number of different advocates supporting various agendas. The most obvious support comes from internet service provider companies who stand to profit in offering various internet packages to not only consumers who are visiting websites but also companies, businesses, and individuals who are running websites. Companies don’t often come right out and state that they are lobbying the government for a piece of legislation that will generate more profit for companies in that field, but instead come up with another, more altruistic rationalization. One example is Verizon stating that net neutrality harms disabled people and the access of visually-impaired people to faster internet access. Support also comes from a libertarian camp that wants to encourage deregulation and minimal government interference into free market capitalism. The third main support for removing net neutrality takes the form of national security and preventing access to sites with undesirable or dangerous content.

The poster child in the industry for net neutrality is Netflix. In 2014, major internet service providers such as Comcast and Verizon were accused of throttling traffic to Netflix in a pseudo extortion scheme (i.e., Netflix must pay more money to Verizon or it will make traffic so slow for consumers of Netflix that they will be forced to move their business to a competitor’s service that isn’t being slowed down by Verizon). Netflix did pay for more bandwidth on Comcast and Verizon, but there has been evidence of Verizon throttling access to Netflix even after Netflix paid for more bandwidth. As a public service, Netflix published a short essay on their website detailing what is wrong with the concept of “internet fast lanes.” The essay highlighted that there are two fundamental problems with this approach to internet access: (1) it provides internet service providers with a “perverse incentive” to increase revenue by creating congested networks with slow access speeds; and (2) it gives internet service providers the power to choose who has access to which content on the internet by throttling access speeds to the point of rendering a certain website inaccessible due to extremely long load times.

In November 2014, President Obama showed his support for net neutrality by urging FCC Chairman Tom Wheeler to enforce net neutrality on a basis of Title II of the Communications Act. President Obama reasoned that “our law has recognized that companies who connect to the world have special obligations not to exploit the monopoly they enjoy over access in and out of your home or business. […] [T]he same philosophy should guide any service that is based on the transmission of information.” Some members of Congress, such as U.S. House of Representatives Subcommittee on Communications and Technology Chairman Greg Walden, view Title II as an inappropriate and unworkable solution. Others, such as House Judiciary Committee Chairman Bob Goodlatte, favor internet regulation under FTC antitrust laws. One thing is certain; the majority of the republican constituency in Congress does not favor net neutrality.

No one knows what will happen at voting time on February 26th, but it certainly won’t go unnoticed. As of January 19th, 2015, the F.C.C. has already received four million comments on net neutrality. The internet touches every part of modern society, from the home to the office to politics; the F.C.C.’s decision will impact every American who comes in contact with the internet in some way.

Written by

February 13th, 2015 at 11:43 am

Posted in Commentary

The Fight for Faster Internet

leave a comment

The past few days have been lively for the FCC, with a passing vote to redefine what counts as ‘broadband’ internet access and rumors of regulation that would limit States’ ability to curtail municipal broadband programs. The these changes come following a recent statement by the Executive Office of the President concerning the availability of ‘fast enough’ internet access for rural populations across the U.S. The statement illustrated that there exists a sharp divide between the availability of internet access at certain speeds in rural, as opposed to urban, communities: 51% of of the rural population lacks access to 25 Mbps internet access as opposed to 94% of the urban population. Prior to the FCC’s redefinition of ‘broadband’ internet access as 25 Mbps or greater, the standard was only 4 Mbps or greater. At this level, the divide is much smaller, 95% of rural communities and 99.9% of urban communities have access that meets this threshold. Naturally, many internet service providers (ISPs) are not happy with the new definition. While protesting that the new standard is far more than ‘most customers’ will ever need, ISPs continually push customers towards faster (and more expensive) packages. On the Comcast website, the first tier of internet access that is advertised as sufficient for HD streaming or online gaming is 50 Mbps. The Executive Statement claims that only 47% of rural communities have access to these speeds.

One promising method for bringing faster internet access to these underserved populations is municipal broadband. Over 350 municipalities are listed in the report as providing some sort of broadband internet access, but many are limited by state laws that prohibit public investment in the requisite infrastructure. A recent Missouri bill would place severe limitations on any public utility that would be competitive with a private enterprise. Under Section 704 of the Telecommunications Act of 1996, the FCC has broad discretionary power to “encourage the deployment on a reasonable and timely basis of advanced telecommunications capability to all Americans” through a variety of means. Among these means, Wheeler hopes, is the ability to preempt parts of state laws that restrict municipal development of broadband internet. Municipalities in two states, North Carolina and Tennessee, have filed petitions asking the FCC to preempt state law. In his 2015 State of the Union, President Obama called for the FCC to grant the petitions that have been filed. Although there are currently only two petitions before the FCC, there are laws in at least 19 other states that prohibit or limit funding or expansion of municipal broadband. Many municipalities and public utility providers in these states are adopting a ‘wait and see’ attitude before filing petitions of their own.

Similar to the net neutrality debates in 2014, the ISPs will likely fight the regulation. The current mix of state and federal legislation, coupled with competing FCC regulation creates a difficult situation for municipalities and ISPs as well as the FCC and courts. Not only are there issues with the state law and regulation of it, but also the pending Title II classification of internet as a public utility which will come to a vote on February 26. As an ‘independent’ agency, the FCC is not bound by the President’s opinion. Regardless of who is fighting for what, these recent developments have made it clear that although the waters are muddy now, there will be clarity, one way or another, soon.

Written by

February 4th, 2015 at 1:14 pm

Posted in Commentary

The Right to be Forgotten

leave a comment

This past May, the Court of Justice of the European Union approved “the right to be forgotten” in a case brought by Mario Costeja against a newspaper and Google, a move which fundamentally changed our notions of Internet privacy. More than a decade earlier, Costeja had posted two notices about an auction of his property to pay off debt, and the links to the notices were still appearing in the search results when Googling his name. Costeja brought suit in an effort to remove the links from the search results. The court said the links could be removed if they were found to be “inadequate, irrelevant or no longer relevant.” Under the right to be forgotten, only searches that include a person’s name will provoke the search result removal, which means that the articles or website can still show up in the results if the search is under a different keyword.

The European Union’s right to be forgotten has spurred much concern for free speech campaigners, who claim the ruling unjustly limits what can be published online. Privacy advocates, however, are praising the ruling for allowing people some exercise of power over what content appears about them online. This new right creates a process for people to remove links to embarrassing, outdated, and otherwise unwanted content from Google and other search engines’ results. Courts are directed to balance the public’s interest in access to the information in question and the privacy interests of the person affected by the content.

As of now, the ruling applies only to Google’s local European sites, such as Google.de in Germany, Google.fr in France, and other search engines. This leaves an easy loophole because the content is still available by searching from Google.com. European data protection representatives are, of course, eager to apply the right to be forgotten worldwide in order to make the ruling more effective. Europe’s Article 29 cross-European panel of data protection watchdogs recently announced: “de-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented.” The Article 29 Working Party is comprised of data protection representatives from across Europe and it has very recently published guidelines on the implementation of the right to be forgotten ruling.

The guidelines note, “a balance of the relevant rights and interests has to be made and the outcome may depend on the nature and sensitivity of the processed data and on the interest of the public in having access to that particular information. The interest of the public will be significantly greater if the data subject plays a role in public life.” They also address concerns of how this will impact free speech: “in practice, the impact of the de-listing on individuals’ rights to freedom of expression and access to information will prove to be very limited. When assessing the relevant circumstances, [Data Protection Authorities] will systematically take into account the interest of the public in having access to the information. If the interest of the public overrides the right of the data subject, de-listing will not be appropriate.”

The representatives ask search engines to apply this new right to be forgotten to all of their websites, including Google.com, for enforcement worldwide. Privacy advocates allege Google has been undermining the new right by limiting its application to local European sites, while free-speech advocates say the rule is “a gateway to Internet censorship that would whitewash the Web.” It is up to the data regulators in individual countries to decide whether to enforce the panel’s guidelines, and it remains unclear whether Google will move to implement the rule.

Freedom of Speech in a Digital Age: Ramifications for Hyperbolic Rhetoric and Free Debate

leave a comment

The ability to talk without fear of governmental repercussions is a crucial element in the ability of states to serve as laboratories for democracy. Without free debate, the voices of “we the people” become muffled and our local and federal governments are rendered inadequate representatives of our evolving needs.

The issue of freedom of speech in our digitized world ought to be at the forefront of our constitutional concerns. So much of our daily interactions occur online. Individuals read articles from news sites and voice their grievances via their Twitter and Facebook accounts. Such grievances often give rise to heated debates, sometimes over inane issues (like whether the trend of naming children after inanimate objects should somehow be a violation of free speech), and, most importantly, over social issues that need awareness and action.

But how does Freedom of Speech really work in our modern era, where people often update their statuses or make posts that are easily taken out of context and read without the writer’s intent in mind? What happens if an individual, angry and hurt by a politician’s repeated failure to address an issue she considers of paramount importance, takes to her Twitter account and posts: “God, I’m going to KILL Politician X for overlooking the safety of our local mothers and children!”

In the United States, it is a federal crime to truly threaten another person with violence. Clearly, such speech is not protected by the First Amendment. But is our hypothetical distraught citizen’s Twitter post just hyperbole, as is much of what’s found on the internet, or is it a true threat of violence?

What counts as a true threat of violence in our digital era, and how we should go about identifying it, is now before the Supreme Court. As of now, the answer is unclear. Once the Supreme Court weighs in with it’s decision, we could find our beloved ability to speak our minds greatly limited to that which agrees with the government’s notion of propriety.

Elonis v. United States concerns the conviction of Anthony Elonis for making threats on Facebook by posting rap lyrics that threatened his ex-wife and a female-FBI agent. The issue before the Court is whether the First Amendment and Virginia v. Black mandate that in convicting a person of making a violent threat under 18 U.S.C. § 875(c), there must be proof of subjective intent to threaten, or whether a “reasonable person” would understand the statement as rising to the level of threatening speech criminalized by 18 U.S.C. § 875(c).

The essential question is whether the true intent of the speaker should matter in conviction under 18 U.S.C. § 875 (c). In its deliberation, the Court should consider the nature of the medium and the audience in question. The Internet is full of overly passionate and haphazard heat-of-the-moment rhetoric. Sure, the speech of my hypothetical disgruntled Tweeter and Elonis may reasonably be interpreted as offensive. However, even obscenely offensive speech is protected by the First Amendment.

The Court’s decision on this issue will have an immensely important impact on how we express our thoughts and frame our arguments on the Internet. Should the reasonable person standard be promulgated, our freedom to joke, vent, and debate may be greatly regulated. My ability to say, “I would kill for a hotdog,” may be interpreted as a violent threat to the hot-dog vendor I frequent around the corner, and I may convicted as a felon even though I was simply expressing my desire for a hot dog. A criminal penalty for such an offense ought to turn at least on my intent.

I am of the opinion that Technology should be wielded by the people as a tool for expression, debate and progress, and not by the Judiciary as a means of speech regulation curbing our propriety. We ought to retain our right to emphatically, passionately, joking, or passive-aggressively express ourselves in our digital world.

Written by

January 20th, 2015 at 11:13 am

Posted in Commentary

Will federal legislation make consumers’ private information safer?

leave a comment

After JP Morgan’s computers were penetrated in the early summer of 2014 by hackers, exposing the personal information of the firm’s customers, the firm did not disclose the breach until late in the summer.[1] Over 76 million customers’ contact information—phone numbers and email addresses—were stolen.[2] The Connecticut and Illinois Attorney Generals started scrutinizing JP Morgan’s delayed notification to their customers that their contact information was obtained by hackers, taking issue with the fact that JP Morgan “only revealed…limited details” about the extent of the breach.[3] Both attorneys general are assessing whether JP Morgan complied with their state privacy laws—mainly their state’s data breach notification laws. With the size of JP Morgan and with 76 million customer information breached, it is safe to assume that residents of Connecticut and Illinois were not the only ones whose personal information was compromised.

Data breach has become a big issue not only for JP Morgan, but for many other companies. The same hackers who breached JP Morgan’s security wall attempted to get customer data from Deutsche Bank, Bank of America, Fidelity and other financial institutions.[4] Hackers breached Target and Home Depot’s customer credit information, taking 40 million of Targets’ customer credit card information and 56 million of Home Depot’s customer credit card information.[5] Data breach and data lost seem to be inevitable, whether it is through someone working internally for an organization—à la Edward Snowden—or through hackers— like in the case of JP Morgan, Home Depot and Target. Regardless of how data is lost, there is a need to evaluate the best approach in notify a consumer when someone else obtain a consumer’s personal information.[6]

The matter is made worse since states have varying definitions of what personal information is, and vary in their definitions of the circumstance that might trigger notification and the method in which a breach must be notified.[7] Some states don’t have a timeline in which a company must notify its customers.[8] And when they do have a timeline, it tends to be vague.[9] It took Target three weeks to notify its customers that their customer’s personal data was breached.[10] The matter is made worse since there is no commonplace federal data breach notification law.[11] Big companies like JP Morgan, who are more likely to be targets of hackers, operate in almost all 50 state, and when their customer’s personal data is breached, they have to deal with each state’s data breach laws state-by-state.[12]

As a result, some advocate for the need of a federal data breach law.[13] There’s an assumption that a federal response to data notification would be better than a state by state response. California’s attorney general is currently suing the Kaiser Foundation Health Plan because it took the health plan 5 months to notify its customers about a breach.[14] It may not take long until other attorneys general start scrutinizing Kaiser. Some of Target’s customers in various states are suing Target for its data breach notification as well.[15]

However, a federal response to data breach notification may not be panacea that some advocate. Legislating is a murky process—even murkier when there’s not much precedent to work with. Data breach, at least the digital kind, is relatively new phenomenon. While various states have their own laws on data breach notification, it is not clear which state(s) have the best process. If a federal notification law is enacted, the standards may be less than what some states currently have. A federal response may serve as a way for companies to absolve themselves from data breach notification. Though the state-by-state approach may be cumbersome, a state-by-state approach in the end will provide a better result as issues are litigated out in public and judges learn about best practices in each state. As cases are litigated in court, states will naturally learn from each other. This organic process is may be more likely to produce a better result than a top-down federal process. [16]

[1] Michael Corkery, Jessica Silver-Greenberg and David E. Sanger, Obama Had Security Fears on JPMorgan Data Breach, N.Y. Times (Oct. 8, 2014), http://dealbook.nytimes.com/2014/10/08/cyberattack-on-jpmorgan-raises-alarms-at-white-house-and-on-wall-street/.

[2] Id.

[3] Emily Glazer and AnnaMaria Andriotis, J.P. Morgan Data Breach Draws Scrutiny From State Attorneys General, Wall St. J. (Oct. 4, 2014), http://online.wsj.com/articles/j-p-morgan-data-breach-draws-scrutiny-from-state-attorneys-general-1412376500.

[4] See Corkery, supra note 1.

[5] Robin Sidel, Home Depot’s 56 Million Card Breach Bigger Than Target’s, Wall St. J. (Sept. 18, 2014), http://online.wsj.com/articles/home-depot-breach-bigger-than-targets-1411073571.

[6]Delays revealing data breaches costly: Like JPMorgan, industry practice is hide evidence, JOURNALGAZETTE.COM (Sept. 1, 2014), http://www.journalgazette.net/article/20140901/BIZ/309019956

[7] Reid J. Schar & Kathleen W. Gibbons, Complicated Compliance: State Data Breach Notification Laws, Privacy & Security Law Report, BLOOMBERG (Aug. 9, 2013), http://www.bna.com/complicated-compliance-state-data-breach-notification-laws/.

[8] Kelli B. Grant, Why did Target take so long to report the breach?, CNBC (Dec. 20, 2013), http://www.cnbc.com/id/101287567#

[9] See Luis J. Diaz and Caroline E. Oks, When Fast Is Too Slow: Notification Compliance Following Target’s Data Breach, The Metropolitan Corp. Couns. (Jan. 16, 2014), http://www.metrocorpcounsel.com/articles/27002/when-fast-too-slow-notification-compliance-following-target%E2%80%99s-data-breach#_ftn2

[10] Grant, supra note 8; See Gregg Steinhafel, a message from CEO Gregg Steinhafel about Target’s payment card issues, Target.com, (Dec. 20, 2013), available at https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca.

[11] See Judy Greenwald, Federal data breach notification law could simplify process, BUSINESS INSURANCE (Oct 24, 2014), http://www.businessinsurance.com/article/99999999/NEWS070101/399999850

[12] With the exception of Alabama, Kentucky, New Mexico and South Dakota, every state as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands has enacted legislation requiring notification of security breaches involving personal information. See Schar, supra note 7.

[13] See Jill Joerling, Data Breach Notification Laws: An Argument for A Comprehensive Federal Law to Protect Consumer Data, 32 Wash. U. J.L. & Pol’y 467, 468 (2010); see also Jacqueline May Tom, A Simple Compromise: The Need for A Federal Data Breach Notification Law, 84 St. John’s L. Rev. 1569 (2010).

[14] David Navetta, California Attorney General Files Lawsuit Based on Late Breach Notification, INFORMATION LAWGROUP (Jan. 30, 2014), http://www.infolawgroup.com/2014/01/articles/breach-notice/california-attorney-general-files-lawsuit-based-on-late-breach-notification/.

[15] See Diaz, supra note 9.

[16] See Flora J. Garcia, Data Protection, Breach Notification, and the Interplay Between State and Federal Law: The Experiments Need More Time, 17 Fordham Intell. Prop. Media & Ent. L.J. 693, 697 (2007); see also Brandon Faulkner, Hacking into Data Breach Notification Laws, 59 Fla. L. Rev. 1097 (2007).

Search the Blog