Legal Technology News - E-Discovery and Compliance Blog

Privacy Feed

November 20, 2012

Can CyberInsurance Shore Up Data Insecurity?

Insurance_sign400Baker Hostetler partner Judy Selby asks, "What do Sony Corp.'s PlayStation Network,, Hannaford Brother Co.'s grocery stores, and South Carolina's Department of Revenue all have in common?"

If you answered serious data breaches involving the personal and financial information of over 100 million users, 24 million customers, and 3.6 million unencrypted Social Security numbers respectively, you get the gold star.

But now that data breaches are rampant — with a Ponemon Institute survey reporting 50 organizations experiencing 72 cyberattacks per week — not to mention the compliance issues these attacks raise with federal laws such as the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley, what are corporate entities expected to do about it?

Selby suggests some of the issues raised by cyberattacks can be met by the aptly named "cyberinsurance." While some may see hype and scareware in this growing line of coverage, Selby lists some of the benefits of cyberinsurance policies, which can range from covering violations of privacy laws that includes paying fines to "cyber-extortion," or meeting the expenses of a threat to disrupt a company's (or law firm's or government agency's) computer systems. Coverage is also available for threats to or attacks on a policyholder's reputation.

Another area covered under the cyberinsurance umbrella is cloud computing, since, as Selby writes, "Cloud customers may not be able to contractually transfer the risk of data breaches to the provider." Some might argue that if a cloud provider doesn't have its own policy in place for cyberattacks, don't sign the contract and seek out a safer cloud. Others might counter you should find coverage where you can.

Read the full article on LTN online.

Image by Dan Hilowitz

October 02, 2012

Big Data Technology

Data_stream400Incident to the cover story for the October 1 issue of Law Technology News, "Defending Big Data," we sent a request for information to vendors who attended LegalTech New York 2012 and asked them if their products or services addressed the tension that exists in mining, exploiting, and monetizing customer data versus the security and privacy of that data.

I summarized some of the responses in the story "Big Data Technology." For the most part, the responses showed that legal technology was focused on Big Data to extract evidence used in litigation and government investigation and not to address the privacy and security interests in the large data sets owned by enterprises. The software manufacturers that predominantly handle enterprise Big Data, e.g., IBM, Oracle, and SAP, do not apply the same wares to e-discovery and litigation support -- yet.

Continue reading "Big Data Technology" »

April 24, 2012

Ohio Court Addresses 4th Amendment, Text Messages

20308702.thmThe question of who can challenge a search of cell phone records was before an Ohio court on Aug. 13. The case, from the Court of Appeals of Ohio, Sixth District, is State v. Young

This case started with a missing 17-year-old girl. The police began to suspect that the defendant knew where she was. So they obtained his cell phone records from Verizon Wireless, by submitting a single page Emergency Request Form. The police also obtained the 17-year-old girl's cell phone records with the consent of her mother.

Notably, the records acquired contained not only the numbers that had been called, but also the content of some text messages that had been exchanged.

The 17-year-old was eventually found living — by her own choice — in an apartment rented by the defendant.

Continue reading "Ohio Court Addresses 4th Amendment, Text Messages" »

April 11, 2012

11th Circuit on Fifth Amendment & Encryption

Keys_for_sale400Joshua Engel looks at last month's decision by the 11th U.S. Circuit Court of Appeals, United States v. John Doe, for guidance on whether Fifth Amendment privilege guards against the disclosure of passwords and encryption keys by witnesses and suspects.

The 11th Circuit concluded the Fifth Amendment does apply because providing a key or password amounts to an admission the suspect possessed or could access the information in question — child pornography in this case — which amounts to self-incrimination.

Engel identifies two competing doctrines in play in deciding whether Fifth Amendment protections apply, the "act of production" doctrine and the "foregone conlusion" doctrine.

Read the full LTN article, "Can the Government Force the Surrender of Encryption Keys?"

Image by

April 02, 2012

Warrantless Phone Tracking Persists Despite Jones

Police_traffic_stop400Must-read article from The New York Times this past weekend: "Police Are Using Phone Tracking as a Routine Tool."

The article notes how local law enforcement agencies are increasingly using cell phone tracking without warrants. As most people know, cell phone companies can provide fairly accurate real-time tracking of the phones. The article quotes a police manual: "One police training manual describes cellphones as 'the virtual biographer of our daily activities,' providing a hunting ground for learning contacts and travels."

In Jones, the Supreme Court held that the use of a GPS tracking device placed on a car without a warrant violated the Fourth Amendment. The challenge is that the opinion from the Supreme Court was disjointed &mdash: with some justices reasoning that the use of the device was impermissible because the device violated privacy concerns.

Continue reading "Warrantless Phone Tracking Persists Despite Jones" »

February 01, 2012

EDD in the EU: Proceed With Caution

LTNY2012_logo400"Don't assume anything about technology systems when your firm is working outside of the United States," was one insight reporter Evan Koblentz gleaned from the LegalTech New York panel, "A GC's Nightmare: A U.S. E-Discovery Request Into Europe."

The risks and problems that follow from wrong assumptions about multinational e-discovery were laid out in detail by panelists from both the U.S. and the European Union.

"The biggest concern that I have is the competing interests of the U.S.courts versus the EU privacy concerns," said Craig Cannon, discovery counsel at Bank of America.

Read the full article, "LegalTech Panel Examines E-Discovery Challenges in Europe."

January 25, 2012

New Proposed E.U. Data Privacy Regulations

EUThe European Commission today proposed a comprehensive reform of the data protection rules.

Two principal documents frame the new data protection regulations: A proposed regulation that would apply directly to organizations and individuals, and a directive that would provide the basic requirements for police and judicial cooperation in criminal matters.

This single law will do away with the fragmentation and costly administrative burdens of the current E.U. privacy regulations. The proposals will now be discussed in the European Parliament and E.U. member states meeting in the Council of Ministers. It is expected that the new proposed regulations will not take effect until sometime in 2014.

See the European Commission website for full details.


January 19, 2012

Personally Predictable Information

Being able to predict information from faces is the latest trend arising out of combining publicly available Web 2.0 data from social media with facial recognition technology. Researchers are now able to infer a person's age, interests, ssn, general health, etc., from their faces, by combining face recognition, data mining algorithms, and statistical re-identification techniques. This is called PPT — "Personally Predictable Information."

This technology can now be used to correctly identify individuals online (on a dating site where individuals protect their identities by using pseudonyms) and offline (in a public spaces — based on photos made public on social networks. Law enforcement agencies are looking at using the technology to conduct large scale real time surveillance at demonstrations, airports, and events. Persons in a crowd could be quickly identified, profiled and associated with others in the crowd based on their profile. (Sounds a bit eerily like the new TV show, Person of Interest.)

The convergence of face recognition technology and online self-disclosures using Facebook, LinkedIn, Yammer, Yelp, Twitter, etc. has serious implications for the future of privacy in an "augmented" reality world in which online and offline data seamlessly blend.  If this technology becomes too much of a threat to personal privacy, will we be able to "opt out" or  request  a "do not track"?

See Faces of Facebook: Privacy in the Age of Augmented Realty

January 17, 2012

Brussels EDD Sessions

Monique Altheim checks in to report that she will has organized and will moderate January 26  e-discovery sessions at the Computers, Privacy & Data Protection Conference. The three sessions address

• Principals of EDD in U.S. Civil Litigation
• Cross-border EDD in the European Economic Area
• Hot Topics in EDD

Speakers include consultants Chris Dale and George Rudoy, Amore Esteban (Shook Hardy), Natascha Gerlach (Cleary Gottlieb), Nigel Murray (Huron), and others.

Altheim is a lawyer admitted in the New York and Belgian bars. Her practice focuses on privacy; she is also the principal of EDiscoveryMap.  

Algorithmic Editing: Now You See It, Now You Don't!

To make a user's experience personalized, companies are using so called algorithmic editing to custom tailor retail shopping services, news, search, and essentially everything we do on the web to our personal taste.

For example, Facebook monitors which friends you click the most, and edits your profile accordingly. It decides for you which friends most likely interest you based on past interactions.

SeeGoogle uses this same technology for search, which means two exact searches by different individuals will yield completely different results. It uses so called signals (location, computer used, IP address, etc.) to define you.  This information “filter bubble” is quickly defining our universe which unfortunately does not accurately reflect the real one. 

Becoming data literate is critical to understanding the value and limitations of algorithmic filtering like predictive coding in e-discovery. The danger is that the technology is giving us what it thinks we want to see; not necessarily what we should see. 

December 23, 2011

Mobile Security - Tips to Safeguard Your Devices

Mobile devices pose significant risks for sensitive corporate information. As lawyers become more dependent on mobile devices for their practice, they need to be cognizant of the significant security risk these devices present.Thief

ViaForensics recently released its latest 80-page Mobile Security Risk Report.  Both the Android and iPhone risk is amplified by the fact that these devices tend to hold personal information for a long time by design, i.e, nothing is ever truly deleted.

Mobile devices have become easy to hack by remote exploits due to all the applications loaded on them. Hackers can now remotely jailbreak and root a device over the network which essentially provides the hacker with unrestricted access to the entire file system of the target mobile device.

The rush to develop user friendly apps has been at the expense of security. These apps collect and store a tremendous amount of information.  Even apps that appear to ask for no permissions during installation can become a back door to your phone. Check out appWatchdog for an objective analysis of various publicly available mobile apps.

Encrypting information on your device is not foolproof because encryption on both the iPhone and Android can been broken with minimal effort. Additionally, it is not that difficult to extract data from a passcode protected device as well.

To protect your mobile privacy:

1. Be cognizant of what you install on your phone and who the company is that makes the app.

Continue reading "Mobile Security - Tips to Safeguard Your Devices" »

December 16, 2011

The Growing List of Personal Data Available on Facebook

As litigators turn to Facebook for potential evidence on an individual, awareness grows that there is more personal data available on Facebook than many people realize. 

Strict European privacy laws have spawned privacy advocacy websites such as Europe vs. Facebook, which help shed light on personal data about users that Facebook collects and preserves. Unlike law in the United States, the European Union's "right to access" law essentially provides that every citizen has the right to get a copy of all personal data that a company holds about them. Recent personal data access requests to Facebook have identified more than 57 available data groups that can be potential evidence in a case. For example, removed friends (a list of all friends you have "unfriended").

The trick is how to capture and preserve that evidence in a legally defensible manner — either by subpoena, by using collection technology like X1 Social Discovery, or a combination of both. As we learn more about the complex layers of social media evidence, the inherent inadequacy of manual screen capture becomes readily apparent.

See the recent EDD Update post on Social Media meta data


December 14, 2011

The Booming Business of Surveillance Technology

The recent disclosure by Sen. Al Franken (D-Minn.) of the use of Carrier IQ technology by cell phone companies to potentially monitor cell phone use among millions of customers is just the tip of the iceberg into the secret world of surveillance technology. Since 2001 a retail market for surveillance tools has grown from zero into a $5 billion a year business. 

Surveillance technology is broken down into five categories: web scraping, data analysis, interception/monitoring, hacking and anonymity. Here are some of the more interesting technologies:

Finfisher is used by law enforcement and governments to remotely access so called "target systems" giving full access to stored information with the ability to take control of the target system's functions to the point of capturing encrypted data and communications.  

Medav is a speech technology that can be trained to analyze voice communications from a variety of sources and identify topics, keywords and phrases.

HackingTeam is a stealth remote evidence collection technology that can evade encryption on a target system like a laptop and is untraceable.

Continue reading "The Booming Business of Surveillance Technology" »

October 24, 2011

Yale Team Addresses GPS Limits

Fellows from the Information Society Project at Yale Law School have just published an article on the upcoming GPS tracking case before the Supreme Court.

GpsPriscilla Smith, Nabiha Syed, David Thaw and Albert Wong are the authors of "When Machines Are Watching: How Warrantless Use of GPS Surveillance Technology Violates the Fourth Amendment Right Against Unreasonable Searches," 121 Yale. J. Online 177 (2011).  I highly recommend it.

The authors argue that “the use of GPS surveillance for prolonged monitoring without a warrant cannot pass muster under the Fourth Amendment.” They suggest that in evaluating new technologies, “wherever a new technology carries the potential for police abuse, the Court has allowed its use only as guarded by the warrant requirement, placing a check on the unlimited discretion otherwise afforded officers.” 

Continue reading "Yale Team Addresses GPS Limits" »

October 18, 2011

Cell Phone Symposium @ Whittier Law School

Cell phones will be the focus of a Symposium on November 3, 2011 at Whittier Law School.  More information can be found here.

The Symposium is sponsored by Whittier Law School's Center for Intellectual Property Law and Law Review.  Topics include "the privacy, regulation, economics, and intellectual property issues surrounding smart phone technology."

I will be speaking on the issue of whether the police can constitutionally compel a person to provide a password or encryption key for cell phones.  This issue has been discussed previously on this blog.  If you are in California, please stop by and join the discussion.  CLE credits are also available.  

Here is the basis for my talk:

The Fifth Amendment privilege against self-incrimination protects a person from being compelled to provide a testimonial communication that is incriminating in nature.  Most verbal statements that reveal the contents of a person’s mind are considered to be testimonial. 

Continue reading "Cell Phone Symposium @ Whittier Law School" »

September 26, 2011

Apple joins the DDP

Binary Apple is throwing its weight into the Digital Due Process coalition. The Cupertino, Calif.-based company announced it joined the group calling for modernization of the Electronic Communications Privacy Act. Other members include Amazon, AT&T, Google, Intel and Microsoft.

The ECPA was enacted in 1986 and is little changed in the years since. Privacy advocates argue that because the ECPA does not address such issues as cloud computing, social networks and other current technologies, police agencies have been able to gather data users reasonably expected to remain private.

Apple and the other members of the DDP are calling for Congress to amend the ECPA to add safeguards for individual and corporate data in today's technology environment.

CNET's coverage here.


Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Network

From the Newswire

Sign up to receive Legal Blog Watch by email
View a Sample

Contact EDD Update

Subscribe to this blog's feed

RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page

March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30

Blog Directory - Blogged