New Data Breach, Privacy Bills in Congress

Richard Adhikari

One year after trying unsuccessfully to introduce legislation on data breaches and protection of individual privacy, California Senator Dianne Feinstein (D-Calif.) is trying again.

This week, she introduced Bills S.139, the Notification of Risk to Personal Data Act and S.141, the Social Security Number Misuse Prevention Act.

Bill S.139 would require federal agencies or businesses to notify both the media and victims whose personal data has been breached without unreasonable delay, although limited exemptions are allowed for law enforcement and national security reasons.

It says the U.S. Secret Service must be notified if more than 10,000 individuals’ records are breached, or the database breached contains more than one million entries, or is owned by the federal government, involves national security or law enforcement.

For more see internetnews.com.

Advertisements

Kill the Billable Hour? A British Response

As much as the legal sector experiences a change in momentum, such a change seems to be occurring now.

Last week, The Am Law Daily picked up on a piece penned by Cravath, Swaine & Moore‘s Evan Chesler in the latest issue of Forbes magazine, entitled “Time to Kill the Billable Hour.” Cravath’s presiding partner, in presenting an impassioned case for abandoning the practice of charging of clients by the hour, lent his voice to a growing debate.

In the United Kingdom, lawyers and clients have never had the same all-consuming obsession with hourly billing as their American peers. Still, over the last 20 years hourly rates have become the dominant currency here as well, and the tide slowly is turning — some British companies and firms are much further along in making the change.

Last summer, our London-based sibling publication Legal Week broke the story that commercial TV network ITV asked its outside law firms to abandon the billable hour and instead adopt alternative billing arrangements. General counsel Andrew Garard, who joined the company in the fall of 2007 from the London office of Dewey & LeBoeuf, said he wanted ITV to become the first major U.K. company to abandon this form of billing, and he initiated a review of the company’s outside legal providers.

By last November, Garard had finalized a list of approved outside counsel, a panel of nine firms, including Dewey, DLA Piper, Lovells, and Slaughter and May, that had committed to alternative billing methods. “None of the firms will bill us with reference to a measure of time on any matters,” Garard told Legal Week.

For more see law.com.

A Mark to Market Rule for Lawsuits?

The Financial Accounting Standards Board (FASB) has proposed a new standard for public disclosure of pending lawsuits. This raises interesting legal technology and management questions for general counsels.

Reporting Rights in the January 2009 issue of InsideCounsel reports on FASB Statements No. 5 and 141[R]. These now-delayed rules would lower

“the threshold for reporting the potential loss from a lawsuit from the current ‘probable’ to anything short of ‘remote.’ …. Currently, because many loss contingencies are reasonably possible rather than probable, companies usually deal with significant litigation by describing it and stating that an estimate of loss cannot be made. That’s a far cry from the detailed liturgy FASB’s original proposal mandated, a liturgy that critics say will not only fail to work as intended, but will prejudice companies in a variety of ways.”

It strikes me that you could view the proposed FASB standard as the moral equivalent of financial mark to market rules. Failure to mark financial assets to market contributed to the current economic crisis. If corporations now have to report more financial assets at market (rather than book) values, why not also the moral equivalent for lawsuits? I wish the article had analyzed whether the mark to market debate will affect the FASB rule-making.

For more see prismlegal.com.

E-Discovery Trends in 2009 — New developments in e-discovery will affect enterprise general counsel and compliance officers, law firms serving corporate clients, and IT departments

By Christine Taylor, January 9, 2008, 12:10 PM

A few years ago, the Taneja Group coined the term “Information Classification and Management” (ICM) to describe the technology of locating and classifying data throughout the enterprise. ICM covered sub-technology sectors such as e-discovery, compliance, data security control, and data management. However, we saw the term “e-discovery” trump the more comprehensive name as rabid attention turned from ICM to the specifics of civil litigation software tools. We are now seeing the e-discovery term itself take on a fuller usage, more akin to ICM. People do use the term when talking about civil litigation, but are also expanding it to encompass compliance, corporate governance, data classification, and even knowledge management.

In this broad sense we have looked at the trends of the e-discovery market as they impact its largest stakeholders: the enterprise general counsel and compliance officers, law firms serving corporate clients, and IT.

The crux of the matter is that e-discovery and its related areas will be extremely hot for litigation and compliance, especially those related to the financial meltdown. The market increasingly understands the necessity of e-discovery software tools and systems, and will move toward proactive e-discovery adoption. A more reactive approach will remain alive and well as many companies will still avoid implementation until driven to it by a lawsuit or federal investigation. But companies will increasingly understand that the e-discovery solution phenomenon is much more than a litigation aid. It also has major effects on federal compliance and internal governance, and potentially on data management throughout the enterprise.

For more see byteandswitch.com.

E-Discovery Requirements Are About to Hit Canadian Firms

As Canadian firms brace for new e-discovery rules, they can look to their U.S. counterparts for technology lessons.

By Anne Rawland Gabriel

Time is growing short for Canadian securities firms to prepare for the scheduled April enforcement of the new Canadian National Instrument 31-103 (NI 31-103), regulation that significantly expands record keeping requirements for electronic communications. Fortunately NI 31-103 substantively mirrors U.S. regulations already in place, which means Canadian firms have the opportunity to learn from others’ experiences.

“NI 31-103 is very similar to SEC and FINRA requirements in the U.S.,” substantiates Carolyn DiCenzo, a Gartner research VP. “It’s important to remember that the spirit of the law is communications and not just one particular type of communication, such as e-mail or instant messaging.”

For more see wallstreetandtech.com.

Data breaches rose sharply in 2008, study says Most of the lost data was neither encrypted nor password-protected

By Jeremy Kirk

January 7, 2009 (IDG News Service)

More than 35 million data records were breached in 2008 in the U.S., a figure that underscores continuing difficulties in securing information, according to the Identity Theft Resource Center (ITRC).

The majority of the lost data was neither encrypted nor protected by a password, according to the ITRC’s report.

It documents 656 breaches in 2008 from a range of well-known U.S. companies and government entities, compared to 446 breaches in 2007, a 47% increase. Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law.

Data breach notification laws vary by state. Some companies do not reveal the number of data records that have been affected, which means the actual number of data breaches is likely much more than 35 million.

“More companies are revealing that they have had a data breach, either due to laws or public pressure,” the ITRC wrote on its Web site. “Our sense is that two things are happening — the criminal population is stealing more data from companies and that we are hearing more about the breaches.”

The data breaches came from a variety of mishaps, including theft of laptops, hacking, employees improperly handling data, accidental disclosure and problems with subcontractors.

For the rest of this story, see computerworld.com.

Networkers Beware: Fake LinkedIn profiles promise prurient pics, send patsies malware instead

Expect more attacks to come from social networking services, says security expert

By Gregg Keizer

Hackers have seeded LinkedIn Corp.‘s business networking service with bogus celebrity profiles that link to malicious sites serving up attack code, a security researcher said today.

Unlike Twitter, which had nearly three-dozen legitimate accounts hijacked on Monday, LinkedIn was not compromised. Instead, criminals used the service to create phony profiles, gave them celebrities’ names and slapped on the word “nude” to further entice users. The celebrities named included singer Beyoncé and actresses Christina Ricci, Kirsten Dunst and Kate Hudson.

The identical profiles all sported links to sites that promised nude photographs of the celebrities, said Paul Ferguson, a threat researcher at security vendor Trend Micro Inc. Users who clicked on those sites were shunted to sites hosting malicious software.

“They’re using the same mechanism as have earlier e-mail spam campaigns, telling users that they have to install a codec,” said Ferguson. The coder/decoder is nothing of the sort, but actually a disguised Trojan horse. “They’re just casting a wider net using LinkedIn,” he said.

LinkedIn reacted quickly, according to Ferguson, who said that the fake accounts first appeared on the site Tuesday. “Once they were notified, they quickly took them down,” he said. “There’s only a handful left when I last looked.”

For more see computerworld.com.