Archive for Legal

RB | October 11, 2011
5 comments

Time to Review Corporate Computer Policies

Legal system The National Law Journal is reporting that three recent court decisions make it important for companies to begin a thorough review of their computer-use policies. The National Law Journal suggests firms focus on two issues: ensuring that employees have no expectation of privacy in using the company computer systems and delineating the scope of the employee’s permissible access to the company computers. The article by Nick Akerman, a partner in the New York office of Dorsey & Whitney who specializes in trade secrets and computer data discusses three recent decisions and their implications for creating effective corporate computer policies that protect the company against the theft of its data.

Mr. Ackerman says two recent decisions, Quon v. Arch Wireless Operating Co. Inc. and Stengart v. Loving Care Agency Inc., affect a company’s ability to gather evidence from its own computers. The article states both cases found company computer policies insufficient to defeat the employee’s expectation of privacy in using the company computers for personal reasons. Whether an employee has an expectation of privacy on the company computers can become a critical issue when an employee is suspected to have stolen corporate data.

TextingIn Quon, (which I wrote about here) the 9th U.S. Circuit Court of Appeals held that a review of text messages on pagers provided to municipal police officers violated the Fourth Amendment as an unreasonable search. The article explains that although the city had no express policy “directed to text messaging by use of the pagers,” it did have a general “Computer Usage, Internet and E-Mail Policy” applicable to all employees that limited the “use of City-owned computers and all associated equipment, software, programs, networks, Internet, e-mail and other systems operating on these computer” to city business.  This policy was acknowledged in writing by each city employee, and it was announced orally that this policy applied to pagers according to the National Law Journal.

The article goes on to state that the 9th Circuit affirmed the district court’s finding that Quon had a reasonable expectation of privacy with respect to the text messages because the policy did not reflect the “operational reality” at the police department where the staff were told that the department “would not audit their pagers so long as they agreed to pay for any overages” that exceeded a “25,000 character limit.” Consistent with that informal policy, Quon had exceeded that limit “‘three or four times’ and had paid for the overages every time without anyone reviewing the text of the messages,” demonstrating that the police department “followed its ‘informal policy’ and that Quon reasonably relied on it” the author states.

YahooIn Stengart, Mr. Ackerman argues the issue of the computer policies arose in the context of the attorney-client privilege. Marina Stengart used her employer’s laptop computer to communicate with her attorney about an anticipated lawsuit against her employer “through her personal, web-based, password-protected Yahoo email account.” After Stengart filed a discrimination suit, her then-ex-employer found many e-mails on the company computer between Stengart and her attorney. The employer’s computer policy was nearly identical to the policy addressed in Quon with one significant exception. Unlike the written policy in Quon, which limited use of the computers to the employer’s business, the policy in Stengart provided that “[o]ccasional personal use is permitted.”

The court found two specific “ambiguities” with the computer policy that “cast doubt over the legitimacy of the company’s attempt to seize and retain personal e-mails sent through the company’s computer via the employee’s personal email account.” First, the “policy neither defines nor suggests what is meant by ‘the company’s media systems and services,’ nor do those words alone convey a clear and unambiguous understanding about their scope.” Second, the court found that one could reasonably conclude “that not all personal emails are necessarily company property because the policy expressly recognizes that occasional personal use is permitted.” Given these ambiguities, Stengart could have assumed her e-mails with her attorney would be confidential.

Computer Fraud and Abuse ActThe National Law Journal article says the third decision relates to a company’s ability to use evidence found on its own computers to bring a viable court action against the disloyal employee under the federal Computer Fraud and Abuse Act to retrieve the stolen data and prevent its dissemination in the marketplace. The CFAA, provides a civil remedy for a company that “suffers damage or loss” by reason of a violation of the CFAA. A critical element in proving most CFAA claims is that the violator accessed the computer “without authorization” or “exceeding authorized access.”

The last case, LVRC Holdings LLC v. Brekka, Mr. Ackerman argues has made it more important than ever for corporate computer policies to address what is not permissible access to the company computer system. He reports that Brekka puts into question the concept that an employee’s authorization to access the company computers is predicated on his agency relationship with his employer such that when an employee violates his duty of loyalty by stealing his employer’s data, his authorization to access the company computers terminates. Brekka refused to apply the CFAA to a theft of employer data, holding that employees cannot act “without authorization” because their employer gave them “permission to use” the company computer.

Although this division in the circuit courts will ultimately have to be resolved by the U.S. Supreme Court, the article says that from an employer’s standpoint it is important to emphasize that the agency relationship with the employee is not the only way to prove that an employee’s access to the company computer was unauthorized or exceeded authorization. Employers can proactively establish the predicate for unauthorized access by promulgating the rules of access through company policies. The “CFAA … is primarily a statute imposing limits on access and enhancing control by information providers.. Thus, a company “can easily spell out explicitly what is forbidden” through several methods including an employee handbook explains the National Law Journal article.

Corporate computingMr Ackerman concludes by suggesting that in designing corporate computer policies and employee agreements, it is important not to lose sight of the well-established operating principle that company computers are company property, and, as such, the company can “attach whatever conditions to their use it wanted to,” even if these conditions are not “reasonable.” Nonetheless, he suggests in light of Quon, Stengart and Brekka, a company should check its computer policies to make sure that they do the following:

• Clearly define the computer systems covered by the policy; expressly encompass whatever technology is used, such as text messaging or instant messaging; and address not only the servers but removable media such as thumb drives and disks.

• Make clear that all data created in furtherance of any personal use belongs to the company — including use of the company systems to access personal web-based e-mail accounts — and may be monitored by the company and will not be confidential.

• Reflect operational reality and are audited at least annually to ensure they reflect operational reality.

• Spell out precisely the scope of an employee’s permissible authorization to the company computers, particularly what they are not permitted to do, e.g., access the company computers to retrieve company data for a competitor.

The time to get this right is now before the company finds itself the victim of a data theft.


Related articles
Category: Business, Legal | Tags: , , , ,
RB | May 28, 2011
No comments

Michigan Troopers Downloading Phone Data Without Warrants?

MichganThink about this while you are driving around this Memorial Day weekend. – The American Civil Liberties Union of Michigan claims that for several years now Michigan State Police have been using portable devices that allow them to secretly extract personal information from cell phones. In an a article on Help Net Security the ACLU says that the troopers have used the devices on cell phones of people pulled over for minor traffic infractions as well as people suspected of a crime.

Michigan State PoliceThe article says most of the devices used are from CelleBrite and can extract a great number of data from most cell phones, including contacts, text messages, deleted text messages, call history, pictures, audio and video recordings, memory file dumps and more. GeekOSystems says the Cellebrite UFED Physical Pro Scanner (cut-sheet), were tested by the U.S Department of Justice. The DOJ reported the device was capable of pulling all photos and video from an Apple (AAPL) iPhone in under a minute and a half. Cellebrite says their devices also can extract, “existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags.” It can also extract your highly incriminating ringtones. These devices can also get around password protection, and work on over 3,000 cellphone models according to the web-site.

Cellebrite UFED Physical Pro ScannerThe ACLU is concerned that the MSP is using these devices to conduct warrantless searches without consent or a search warrant in violation of the 4th Amendment of the U.S. Constitution. Help Net Security reports that the ACLU of Michigan as been requesting information about MSP’s use of these devices for nearly three years by filing Freedom of Information Act requests to the Michigan State Police. The ACLU wants the troopers to reveal the data it collected, but it had no luck so far. The article indicates that the MSP is stonewalling the ACLU’s Freedom of Information (FOIA) requests resulting in possible court action.

ACLUFollowing those accusations, the Michigan State Police posted their side of the story in an official statement published on its website according to another Help Net Security article. The MSP says it has, “fulfilled at least one ACLU FOIA request on this issue …” The web-posting also claims that devices that the MSP has in its possession can’t extract data without the officer actually having the owner’s mobile device in his hand and they claim the scanners are properly used, “The DEDs (data extraction devices) are not being used to extract citizens’ personal information during routine traffic stops,” it explains. “The MSP only uses the DEDs if a search warrant is obtained or if the person possessing the mobile device gives consent.”

rb-

Wonder why the government keeps trying make talking on a cell phone while driving a primary offense? Could it be so the government has an excuse to stop people and collect their personal data? The last sentence from the MSP is particularly chilling since people are strongly encouraged to cooperate with the police even when they know they did nothing criminal. Warrantless searches violate the protection against unreasonable search and seizure guaranteed by the 4th Amendment of the U.S. Constitution.

Secure motoring in Michigan!

What do you think?

Are smartphones losing their appeal becasue of all teh privacy holes?

Does anyone care about provacy anymore?

Has a cop ever picked up your smartphone?

Related articles
Category: Legal, Mobile | Tags: , , , , ,
RB | December 7, 2010
No comments

More WLAN Legal Wrangling

The wireless patent wars wage on. Ericsson, (NASDAQ : ERIC) the Swedish telecommunications giant has filed suit in the U.S. District Court for the Eastern District of Texas against a number of companies for alleged patents infringement of its IEEE 802.11 wireless products reports CENS.com. CENS.com says the businesses named  in the Ericsson’s lawsuit include:

The CENS.com article says the lawsuit involves all WLAN (wireless local area network) devices either incorporating chipsets supplied by:

or OEM products made by:

Tech Connect reports that Ericsson claims, the companies named are offering products that violate one or more of the following WLAN patents (number/title):

  • 6,466,568 – ‘Multi-rate radiocommunication systems and terminals’
  • 5,771,468 – ‘Multi-purpose base station’
  • 6,519,223 – ‘System and method for implementing a semi reliable retransmission protocol’
  • 6,330,435 – ‘Data packet discard notification’
  • 6,772,215 – ‘Method for minimizing feedback responses in ARQ protocols’
  • 6,424,625 – ‘Method and apparatus for discarding packets in a data network having automatic repeat request’
  • 6,173,352 – ‘Mobile computer mounted apparatus for controlling enablement and indicating operational status of a wireless communication’
  • 5,987,019 – ‘Multi-rate radiocommunication systems and terminals’
  • 5,790,516 – ‘Pulse shaping for data transmission in an orthogonal frequency division multiplexed system’

Ericsson requested the infringing companies to compensate its losses and asked the court to ban the sales of the infringing products. D-Link told CENS.com they cannot give any comment, because the company had not received any file from the court. But it will not affect the sales of its products.  Acer, told CENS.com that its legal department had received the related notice and has started judicial procedures.

rb-

I have covered other WLAN patent suits here and here. While I’m no patent lawyer, what this says to me is that the WLAN market is starting to level-off and firms are looking for “other” ways to make some money without producing products. A business tacit fresh from the 1980′s.

I also noticed that this suit between a European firms (Ericsson) and Asian firms (Acer, Netgear and D-Link) was brought in U.S. District Court for the Eastern District of Texas. This seems to be a favorite place for firms to sue each other, I wonder if  anyone has ever investigated why this court is so popular for alleged patent-troll cases.

One of the things that we instituted a while ago, in our RFP’s and contract’s is a clause that requires the VAR and the manufacturer to hold the end-user harmless in regards to patent suits the VAR or manufacturer may get entangled in.

Category: Legal, wi-fi | Tags: , , ,
RB | November 16, 2010
No comments

Who’s Suing Whom in the Telecom World?

Information is Beautiful has a great infographic showing the current state of telecommunications lawsuits.  David McCandless at Information is Beautiful includes snippets of each law suit, which is helpful for understanding the overall picture. The diagram differentiates between ongoing and finished lawsuits with different arrows, while the size of the cubes represent the various company’s estimated revenue.  In addition, if a company’s cube is red, it means its revenue is decreasing, while gray cubes represent companies with increasing revenues.

The involved include a who’s who of the telecom industry:

  • Apple
  • Elan
  • Hitachi
  • HTC
  • Kodak
  • Microsoft
  • Motorola
  • Nokia
  • RIM
  • Samsung
  • Sharp
  • Sony Ericsson
  • Qualcomm
Category: Business, Legal | Tags: , , , , , ,
RB | April 8, 2010
No comments

Update Email Policy

A court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, ” reasonably expect that emails she exchanged with her attorney on her personal, password-protected, Web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer,”. “She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.”

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard-drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are currently applicable only in  New Jersey. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firms computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Category: Legal, Policy, Security | Tags: ,
« Older Entries  

Switch to our mobile site