A tempting response to the Cybersecurity Executive Order (the "Order"), announced by President Obama at his State of the Union address, is to ignore it.  It is vague in key particulars, such as which companies are part of the "critical infrastructure" and therefore subject to the Order.  The only immediate effect of the Order is to require various departments and agencies, led by the Department of Homeland Security ("DHS") to: (i) study issues; (ii) identify powers that can be exercised under existing laws; (iii) and come back with proposed plans of action.  Maybe if we ignore it, it will go away.

But it won't.  If you are a significant player in a regulated industry that that has already been identified by DHS as part of the critical infrastructure (which includes energy, health care, transportation, financial services, heavy manufacturing, food and drugs), if you are a government contractor, or especially if you are both - the Order is a statement of intent that should not be ignored.

The Administration has identified cybersecurity as "one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter."  The Executive Order focuses on two solutions: 1) enhanced security standards; and 2) better sharing of information between government and the private sector.

While the Executive Order describes these security standards as "voluntary," it also directs regulators to identify "incentives" for adopting these standards. Incentives under consideration include potential preferred treatment for government contractors who participate.

With respect to information sharing, the Executive Order only specifically discusses the government sharing information with industry about identified threats. But the Administration has acknowledged that the achieving the goals of the Executive Order "will by necessity involve increased collaboration with the private sector and a whole-of-government approach." Initially this sharing may take the form of responding to questionnaires from the National Institute of Standards (NIST), or requests by the government to a company's security expert. Ultimately, be ready for requests for information related to cybersecurity threats coming from your regulators and government procurement officers.

What should you be doing now to prepare for the impact of the Executive Order on your company?

(1) Review your incident response policies and, if necessary, update them to address the concerns of this Executive Order. Historically, breach reporting obligations have focused on lost personally identifiable information and protected health information because state and federal laws have focused on these losses. The Executive Order focuses on "infrastructure threats" and includes risks posed by trade secret theft, cyber terrorism and hacktivism. Make sure that your policies in place adequately address identifying infrastructure threats and escalating those issues to the appropriate people within your organization. There are going to be "whistleblowers" waiting to assist you with making these disclosures if you are not willing to confront these issues head on.

(2) Look at your vendor lists and contracts. If you are not considered to be critical infrastructure, are your business partners? Are your business partners at risk for certain cybersecurity events like hacktivism and foreign government sponsored attacks? Are your key vendors demonstrating their readiness to you and should you be better protecting yourself in your contracts with these business partners?

(3) Establishing or upgrading security audits should be considered -- not just of your own house, but of your business partners as well. Increasingly government is not just looking at an organization, but an organization's business partners as well.

(4) Finally, develop a regulatory strategy. Just like any other government relationship, figure out how you are going to leverage your existing relationships to guide you through this process and what their expectations are. Government, whether as a regulator or a partner in the war against cyberterrorism, expects transparency, cooperation, and a good attitude. Think about reaching out and starting a dialogue about these challenges and concerns as we figure out how to combat these cyber attacks.

Some of the changes in this Proposed Policy are merely clarification. Changes made earlier this year already provided that Facebook can use information posted about you on Facebook to “personalize” ads displayed to you both on Facebook and outside of Facebook. The latest Policy revisions make it clear that in “personalizing” ads, Facebook may consider using everything you do and say on Facebook and anything others say or display about you when they “tag” you. You may remove your posts and other’s tags from your timeline, but this action does not remove the information from Facebook’s database.

The significant addition to this Policy is an entirely new provision that, for the first time, permits Facebook to engage in unlimited sharing of your personal information with “affiliates” with the following language:

Affiliates

We may share information we receive with businesses that are legally part of the same group of companies that Facebook is part of, or that become part of that group (often these companies are called affiliates). Likewise, our affiliates may share information with us as well. We and our affiliates may use shared information to help provide, understand, and improve our services and their own services.

Legally, an affiliate could include a company in which Facebook owns a minority interest.  Facebook has not announced any new acquisitions, and there is no reason to believe that one is planned for the immediate future. But it is certainly plausible that this Proposed Policy is intended to pave the way for: (i) taking an ownership interest in advertising agency and (ii) immediately commencing complete sharing Facebook data with that advertising agency.

Given how much Facebook knows about its users, such an agency could be much more effective than current online ad networks which serve advertisements based upon your behavior on the Internet (which they deduce through cookies placed on your browser by websites you’ve visited and advertisments you’ve clicked).

But nothing in the Proposed Policy limits Facebook’s use of your information “off Facebook” to on-line advertising. With its facial recognition software and its location tools, Facebook could place a camera at the entrance to a department store to identify you as you enter. Then, a digital sign linked to Facebook’s database could flash to you information about in-store offerings, based on Facebook’s cataloging of your interests and desires.  Oh what a brave new world, indeed.

In a ruling this past Wednesday, November 14^th, a Federal Judge in the Western District of Washington dismissed a class action against video game developer Valve Corporation. The class action stemmed from a November 6^th, 2011 data breach of Valve’s popular online video game distribution platform, “Steam.” As a result of this breach hackers allegedly gained access to billing addresses, passwords, online handles/ID’s, and credit card information. Plaintiffs, a class of Steam subscribers, brought claims under six separate California causes of action alleging both present and future harm resulting from this breach.

Judge James L. Robart dismissed all of plaintiffs’ claims for failure to adequately plead damages. Judge Robart’s order discussed the legal inadequacy of the pleadings on both the future and present damages claims. As to the future damages, Plaintiffs had pleaded that because of the 2011 data breach they may be forced to spend money at some unspecified time in the future to “protect their privacy.” Citing a string of cases addressing this issue, Judge Robart explained, “when personal information is compromised due to a security breach, there is no cognizable harm absent actual fraud or identity theft.” Alleging only the possibility of future harm was insufficient.

As for present damages, Plaintiffs had pleaded that as a result of the 2011 breach they had “various services and subscription interrupted, loss of data, … an inability to access various gaming networks,” and that they lost money paid to Valve for “products and services.” Judge Robart held that this too was an insufficient plea of damages. Emphasizing the “higher plausibility threshold” that their complaint required due to the size and potential expense of the data breach class action, Judge Robart explained that to overcome a motion to dismiss, the plaintiffs must lay out exactly what services were interrupted, what data was lost, or how exactly money was lost on their Steam subscriptions (a free service).

Plaintiffs’ claims were dismissed without prejudice and they were given leave to amend within 30 days. The case is Grigsby v. Valve, Corp., No. C12-0553 (W.D.Wa. Nov. 14, 2012).

Editor’s Note – This article is a joint submission to BakerHostetler's Class Action Lawsuit Defense blog.

Companies that provide call center services to consumers are increasingly being targeted in class action lawsuits under an arcane section of the California penal code that provides a civil right of action and statutory damages for monitoring or recording of confidential telephone conversations without the other party’s knowledge or consent. Sections 630 et seq. of the California Penal Code were enacted in the 1960s to prevent illegal surveillance of confidential telephone calls. In the past several years, plaintiffs have attempted to use the statute to seek damages against the operator of a customer service call center that fails to include a notice at the beginning of each customer service call that the call “may be monitored or recorded” for training or quality assurance purposes. Since this type of notice is ubiquitous among call centers, the failure to provide the notice can often be the result of a system error or a design flaw in the call system. Plaintiffs’ lawyers have been taking advantage of these errors by filing class actions for statutory damages for each call that was made from California during any time period during which the warning was not provided.

The exposure in these cases can be enormous because the statute provides for $5,000 in statutory damages, an amount that the lawsuits allege is owed for each call. For example, a call center that receives 1,000 calls during a time in which the warning was not provided may find itself defending a $5 million lawsuit, and 10,000 calls means a $50 million lawsuit. The high exposure amounts, coupled with the seemingly low standard that has been adopted by the California state courts to determine what constitutes a “confidential” telephone conversation, has caused many defendants to rush to early settlements rather than face the risks of litigation.

SETTLEMENT MAY NOT BE THE ANSWER!

A defendant should not assume that there is no defense to a case filed under the Privacy Act. Defenses on the merits that have been raised in Privacy Act cases include that the call centers were intended to be exempt from the statute altogether, that the aggregation of statutory penalties violates due process and that customer service calls are not confidential in nature. Individual defenses to the named plaintiff’s claims may also exist. For example, the claims of individual defendants may be susceptible to arguments that 1) the plaintiff signed an arbitration agreement; 2) the circumstances surrounding the plaintiff’s call show that there was no expectation of confidentiality; or 3) the plaintiff knew the call was being recorded despite the lack of express notice.

There are also defenses to class certification based on factual variations, despite the uniform nature of the statutory remedy. Plaintiffs will argue that the fixed nature of the available remedy and the objective standards for determining the expectation of confidentiality and the disclosure of sensitive information simplifies the cause of action and alleviates the need for certain individualized questions. However, in cases involving recorded telephone conversations, there can be significant factual differences from caller to caller on facts ranging from the location of the caller at the time of the call, to the nature of the conversation alleged to be confidential, to the facts bearing on the caller’s knowledge or understanding that the call may be recorded. The California Privacy Act is just one of the various statutes that are increasingly becoming targeted for class action lawsuits because of the availability of a statutory penalty.

Cookies are small units of code that website operators can send to Internet browsers accessing their sites. While cookies may be set to delete when a browsing session terminates, many cookies remain stored on a user’s browser. Each subsequent time that this browser uploads a webpage on the site, the operator can access data stored in those cookies to customize webpages based on the user’s browsing activities. The most controversial cookies are those that track a user’s activity across the Internet. The European Union has enacted regulations requiring website operators to more fully disclose how websites deploy cookies, and to give users more control over the cookies placed on the browsers. The FTC has issued a white paper calling on industry to adopt similar disclosure practices in the United States.

In Del Vecchio, the plaintiffs complained that Amazon placed cookies on their hard drives against their wishes, even after users had attempted to block cookies with their browser setting. Under the CFAA, a plaintiff can state a civil cause of action where a defendant intentionally accesses a computer without authorization, but only if such conduct causes the plaintiff loss or damages of at least $5,000 over a one-year period. In arguing that they met the damages threshold, the Del Vecchio plaintiffs claimed that Amazon derived substantial financial gain through its use of cookies to gather the plaintiffs’ personal information. Conversely, plaintiffs claimed that they lost the opportunity to realize such gain.

Assuming the factual allegations of the complaint to be true for the purposes of the motion, the court acknowledged that, in theory, a plaintiff’s lost opportunity to sell his computer usage data to marketers could constitute a monetary loss that satisfies the $5,000 damage threshold of the CFAA.  But here, the court found that the plaintiffs’ claims were entirely speculative because they did not allege facts showing that they had the capacity or opportunity to independently monetize their raw computer usage information. As a result, the court granted Amazon’s motion to dismiss for the plaintiffs’ failure to state a claim under the CFAA.

The court further found that the plaintiffs still might have a viable claim under Washington’s Consumer Protection Act (the “WCPA”). The WCPA requires a showing of injury, but, unlike the CFAA, does not require a plaintiff to demonstrate monetary damages in order to satisfy the requirement. In this case, the court stated that in order to allege an injury, the plaintiffs would need to demonstrate that Amazon accessed their computers or their information without authorization.

The court noted that Amazon’s “Conditions of Use and Privacy Notice” notifies visitors to Amazon sites that the company uses cookies and that the terms state that the plaintiffs’ use of Amazon was conditioned on their acceptance of those very terms. The court asked the parties to file additional briefings on the issues of: (1) whether plaintiffs had authorized Amazon’s use of cookies and (2) whether Amazon’s conduct was unfair or deceptive in light of Amazon’s terms.

In light of the Del Vecchio decision, the recent EU cookie regulation, and concerns raised by the FTC regarding cookies, website operators should re-evaluate the manner in which they disclose cookies deployed on their website and obtain consent from users for placing these cookies on users’ browsers. While it appears that the CFAA is not available as a vehicle for privacy class action claims, privacy class action attorneys are continuing to look for other legal bases for such claims, such as the WCDA. Increased regulatory scrutiny of cookie practices is likely to further stir such litigation.

But the Del Vecchio decision also issues a challenge for privacy advocates looking to protect consumer web browsing practices. Under the holding in Del Vecchio, if consumers could sell their web usage information to marketers, then they could invoke the CFAA to prevent third parties from deploying cookies to take this web usage information without their consent. Rather than more class actions, consumers may be better served by the development of marketplaces where they can sell their web usage information for marketing purposes, rather than giving it away to the websites they access.

We are seeing a dramatic increase in spam and email phishing schemes once again.  These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day.  Please consider the following when reading and reacting to emails.

1. The bad guys love playing off of our emotions.  So they have taken to all manner of “inspiring” a reaction (mouse click) from us.  You have likely seen at least one of the following recently:

• A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
• A password reset or other account activity that you didn’t actually do.  American Express, Verizon, Apple iTunes/App Store.
• A LinkedIn request from someone you don’t know.
• An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content.  This must be real because this offer is only coming to me because it relates to my profession…
• A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!

2. Please keep the following in mind:

• If your name or email address is not in the To: field of an email, it’s a fake.
• If there are other names in the To: or Cc: field of the email, it is a fake.  No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
• No company or web site is going to send you an unsolicited password reset request via email.
• LinkedIn is being used more and more for phishing AND social engineering attempts.  Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know.  Even if they appear to be connected with others you may know.  Hackers and cyber criminals are using every means available to them to build a facade of credibility.
• Blackberry, iPhone, and iPad are not immune to malware and phishing attacks.  In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them.  Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
• Text messaging is now being used to launch phishing and malware attacks almost as frequently as email.  And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.

3. What can I do to protect myself and the firm from hackers and phishers?

• Pay close attention to any and every email you read.  Train yourself to question the legitimacy of any email that “feels” wrong.
• Remind yourself to delay reacting to such emails especially from your mobile devices.
• Look for your name, and JUST your name, in the header of the email.
• Update your mobile device software frequently.
• Do not click on links in emails, especially from a mobile device; but if you must, at least …
• Practice the “hover” …  by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to.  If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake.  DO NOT CLICK on any such link.
• Read web links carefully.  You must scroll to the end of the link to see where it’s actually taking you.  Don’t be fooled by the first part of the web link.  For example, this link is actually not related to American Express in any way …  americanexpress.com.1243abc.badguy.com            The domain in this case is badguy.com.  They are not going to be as obvious as I am !  And from your mobile device, you might not even be able to scroll to the end.  What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you.  And guess what, the bad guys know this and hope that you don’t!!!

The recent termination of a top executive of a publicly traded company is another example of some of the perils of mixing personal and workplace social media. The chief financial officer for a women's clothing retailer, Francesca's Holdings, was dismissed for disseminating non-public corporate information to his Twitter followers. After a company board meeting he tweeted about the company's earnings. Using the handle "@theoldcfo," he wrote: "Board meeting. Good numbers=Happy Board." Subsequently, the company's stock jumped fifteen percent. Strictly enforcing its social media policy, the Houston-based company decided to fire its CFO for that tweet, in addition to a series of other posts he sent from his social media accounts since 2010.

This case sheds light on the legal consequences relating to the use of social media in the workplace. Employee Internet posts not only implicate the financial rules of the Securities and Exchange Commission, as was the case for Francesca's, but they can also create compliance issues under the regulations of other agencies, including:

• Financial Industry Regulatory Authority (FINRA),
• Federal Trade Commission (FTC),
• Food and Drug Administration (FDA) and
• National Labor Relations Board (NLRB), Office of the General Counsel.

Furthermore, rogue social media use can put company trade secrets and client confidences in jeopardy. This is why it is increasingly important for all companies, not just publicly traded companies, to have a social media policy. A good social media policy should address both employee behavior on company-affiliated media, as well as employee behavior that can be traced back and imputed to the company.

Below are some considerations for creating and implementing a social media policy:

• Almost anything written on the web can be easily traced back to its author, and ultimately the place where he works. This is because online information is backed up repeatedly and often and posts in one forum are usually replicated in other forums through trackbacks, reposts or references. Therefore, social media policies should be applicable to all types of workers including employees, temporary or seasonal workers, independent contractors or anyone with access to a company computer.
• Companies with employee-generated content on company-branded websites, blogs, wikis or other social networking sites should have formal procedures to review what its employees post on its behalf. When possible, it is best practice to treat all employees' posts on company-branded sites as if they were being published in more traditional media.
• Nevertheless, a company cannot prevent an employee from using the company's name or trademark for non-commercial purposes on his or her own time to complain about wages, terms and conditions of employment, working conditions or other protected employee rights under Section 7 of the National Labor Relations Act (NLRA).
• An employer should avoid using vague language in its social media policy, such as "appropriate," "inappropriate" or "professional." Terms should be defined either by using examples or by using language that carves out an exception for employee rights protected under the NLRA.
• A company should be careful about asking an employee or prospective employee to provide usernames and passwords to personal social networking websites, without first weighing the business concerns of doing so. In addition to potentially facing serious public relations concerns for chosing to implement such a policy, there soon may be legal liability for requesting private social media passwords. Maryland enacted a law prohibiting employers from asking for social media passwords, which will take effect on October 1, 2012. Other states are also rapidly following suit, including Illinois, California, Minnesota, Michigan, Massachusetts, and Ohio. Furthermore, the federal government is also interested in this topic. Two U.S. Senators have asked the Department of Justice and the U.S. Equal Employment Opportunity Commission to look into the issue.

For more information and guidance on this issue, see a recent article published by Labor and Employment Partner Dan Guttman titled: "What Can Management Do to Protect the Organization From Inappropriate Use of Social Media?"

Enforcement has begun softly, with regulators sending letters to selected companies asking for explanations as to how these companies are complying with the Cookie Directive. As of yet, no major enforcement actions have been announced.

Earlier this month, the IPO eased the concerns of many by issuing a Guidance that affirmed the use of “implied consent” to cookies in many contexts. This Guidance indicates that disclosing cookie use through the Terms of Use in a website will be sufficient disclosure for many cookies which are commonly used by websites simply to improve the website’s functioning.

But uncertainties remain—the IPO has declined to state “bright line rules” of acceptable and unacceptable practices, and instead has emphasized that each web operator must adopt disclosure practices appropriate for its users in light of the manner in which it uses cookies.  Accordingly, it is critically important to pay attention to what peer websites are doing and not fail to adopt disclosure practices that become industry standard.

US-based web sites should not assume that they are immune from concerns about the Cookie Directive. Even U.S. websites that do not have a physical presence in Europe may be subject to enforcement actions from European privacy authorities.   In a tour of Silicon Valley this Spring, Jacob Kohnstamm, a European privacy regulator, warned that enforcement action would be taken against US companies which place cookies on browsers in Europe and disregard European cookie regulation.

Accordingly, every website operator, with a significant user base in Europe, should be prepared to respond to European privacy regulators asking what steps have been taken to comply with the Cookie Directive.  At a minimum, that answer should include the following:

1. an audit of every cookie employed on the website to determine its use and function;
2. a review of current disclosures of cookies, and a revision of those disclosures, where necessary, to clearly communicate the use and function of cookies employed on the site; and
3. consideration, and where appropriate, implementation of new procedures to more effectively demonstrate user consent to cookies employed on the site.

In March 2007 Viacom International Inc. (“Viacom”) filed suit against YouTube, Inc. alleging copyright infringement of the content of the company’s television programs and movies which were displayed on YouTube’s popular website. Many other copyright owners joined the suit. Following a long line of decisions that have insulated website operators from copyright suits based on content posted on the site by users, District Judge Stanton dismissed the complaint, citing the protections offered by the DMCA. Yesterday, April 5, 2012 the Second Circuit upheld most of Judge Stanton’s decision but remanded specific issues for trial.

The Second Circuit’s decision minimizes the level of protection service providers recently enjoyed under the DCMA against copyright claims. In the earlier decision of this matter, the district court was presented evidence that surveys by YouTube employees showed that many of the videos on the site might be the result of potential copyright infringement. The court, however, found that such knowledge constituted only generalized knowledge of possible infringement and not specific type that fell outside of the protection of the DMCA. However, Judge Stanton did not consider the willful blindness doctrine, which would assess whether YouTube made a “deliberate effort to avoid guilty knowledge” of specific infringing activity on its website.

In reversing part of the district court’s decision, the Second Circuit ruled that a trier of fact may apply this doctrine “to demonstrate knowledge or awareness of specific instances of infringement under the DCMA” in order to determine whether YouTube should receive protection under the act.

The good news for a host of user generated content is that the Second Circuit affirmed that the DMCA does provide broad protection for hosts of user generated content. Specifically, the Second Circuit affirmed the following protections provided by the DMCA:

• The website operator still must have knowledge or awareness of “specific and identifiable infringements.”
• A host of user generated content has no duty to moderate the site or seek out specific infringing activity.
• A host of user generated content is not subject to liability under vicarious infringement principals merely because it has the ability to block content.

The following activities by the host of user generate content were specifically found to be protected by the DMCA: “transcoding content” (converting it to another format); playing back content at user’s requests; and providing for the automated indexing of content.

But in reinstating part of the case for trial, and by directing the district court to make factual findings on specific issues, the Second Circuit identified conduct that could place any host of user generated content at risk of losing the safe harbor protection of the DMCA:

• Communications by employees which suggest awareness that specific content posted by users is infringing.
• Activities which a jury might view as attempts to avoid knowledge that content posted by users is infringing.
• Syndicating or licensing user generated content to third parties.

While the DMCA remains alive and well after the Second Circuit’s Viacom decision, the hosts of user generated content should not assume that they are insulated from liability just because they are complying with the formal procedures established by the DMCA for the removal of infringing user generated content from websites. The host of any user generated content should review their practices and procedures in light of the “issue of fact” identified by the Second Circuit’s Viacom decision, to ensure that they are minimizing the risk of copyright liability for the acts of others.

Authorship credit: Gerald Ferguson & Peter Brown

But, to quote another adage that predates the Internet: “There is no such thing as a free lunch.” The providers of these “free” websites are extracting something of value from consumers in exchange for the “free” content and services. These websites are collecting information about individual consumers’ identity, interests and habits -- valuable information that can be sold to advertisers looking to target individuals matching the profile of their desired consumers.

In its recently issued Report detailing its recommendations for protecting consumer privacy, the FTC made a priority of empowering Internet users to prevent websites from tracking user activity across the Internet. Adopting a slogan of its own – Do Not Track – the FTC has called upon industry groups to implement an “easy-to use, persistent, and effective” system that will allow consumers to block the tracking of user activity across the Internet. The not so veiled threat from the FTC is that if industry refuses to act, government regulators will have to step in and impose a “Do Not Track” regime.

Assuming that the FTC achieves its stated goals--to clearly warn consumers whenever their Internet activity is tracked, and to empower those consumers to block that tracking immediately, what are the potential commercial implications?

One scenario is that there will be no implications. For example, web browsers have long given consumers the ability to disable cookies. But any consumer activating that web browser feature quickly learns that he or she has access to almost no web sites because virtually every interactive web site relies on cookies. If consumers are routinely denied access to desired web sites when they block “tracking”, consumers will quickly be taught not to block tracking.

Another scenario is possible as well. To date, “paid for” web services have generally found it difficult to compete with “free” web services. Why pay for something that you can get for “free”? However as outlined above, “free” services are not really free. There is a price paid in terms of privacy sacrificed. To date, that price has been hidden in lengthy privacy policies that must be accessed through a link at the bottom on the home page. If that cost is made clear though “persistent” and highly visible warnings to consumers, then some (but not all) consumers may conclude that the price they are paying in terms of privacy sacrificed is too high. They may look for an alternative. And if the market responds by offering web services that are paid for with cash but not with a disclosure of private information, some consumers may choose that option, and the “paid for” web service model may have increased viability.

The May 2012, deadline for commencing enforcement draws ever closer. Any website operator with a significant user base in Europe should at this point be developing a strategy for compliance. If you have a substantial Internet presence in Europe, and are ignoring the Cookie Directive and hoping it goes away, you do so at your peril. In a Guidance issued last month, the ICO warned that companies disregarding the Cookie Directive should "be assured" that, after May 26, 2012, the ICO will be enforcing compliance.

The ICO's website offers one example what compliance with the EU Cookie Directive might involve. When you first access the site, you see a boxed message at the top of the page stating:

The ICO would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

Below this statement, users are asked to check a box next to the statement: "I accept cookies from this site."

If you click on the "Privacy Notice" referred to in the disclaimer, you are directed to a chart that: (i) lists 8 different types of cookies employed the ICO site, (ii) provides detailed descriptions as to when and how these cookies are used, and (iii) provides links where you can obtain more information about these cookies.

We are not saying that your website must imitate what the ICO has done. In its recent Guidance, the ICO made it clear that it was not advocating one approach for every website or that it was expecting perfect compliance by May 26, 2012. But the ICO also made it clear that if it receives complaints, or is otherwise investigating a site, it will expect the website operator to be able to identify the steps that the website had taken towards compliance with the Cookie Directive.

In order to have a good answer to this question if the ICO comes calling, we recommend the following:

1. Examine whether there are ways in which your privacy policy can more specifically identify the different types of cookies employed and whether you can better explain when and why they are used.
2. Examine the feasibility of incorporating an express "opt-in box" to your use of cookies into the architecture of your website, and the extent that such a box would interfere with the user experience.
3. Pay attention to how peer websites are disclosing their cookie practices—particularly over the next few months as companies prepare for the May 26^th enforcement deadline. You don't want to be the only website in your industry that has failed to adopt disclosure practices which have become an industry standard.

As Senator Reid points out in his letter, the Senate has been working on comprehensive cybersecurity legislation for the past two years, but the efforts have been complicated by the fact that many Senate committees claim jurisdiction over cybersecurity. For the past six month, working groups composed of staff from relevant committees have been set up to assist in negotiating consensus legislation that can be expedited to the floor. But nothing in Washington seems to happen on an expedited basis these days, and the working groups have not yet produced any consensus. Senator Reid is prepared to jumpstart the process by bringing proposed legislation to floor in January, even if the working groups have not yet reached a consensus.

While perhaps every Senator agrees with Senator Reid's assertion that the United States needs a national cybersecurity law, it remains to be seen whether Congress can overcome the gridlock now paralyzing legislative processes, even on an issue engendering a national consensus.

We will continue to monitor and comment on significant legislative developments

The survey results suggest that businesses are recognizing the seriousness of the risks posed by potential compromise of data security. The vast majority of respondents stated that their organization views information security as at least a moderate threat and more than two-thirds of respondents stated that information security risks are a specific risk management focus within their organizations. Most organizations have some form of multi-departmental information security and cyber risk team or committee, and more than two thirds of respondents said their organizations have a disaster response plan in place in the event of a major breach.

Despite widespread recognition of data breach risk, risk contingency planning may still be inadequate. For 41 percent of respondents, the IT department is responsible for complying with state data breach notification laws following a breach. The IT department often may be ill-equipped to satisfy the inconsistent notification requirements of the 46 different states that have enacted breach notification laws and the independent obligations that may arise under federal laws, such as HIPAA-HiTech and Gramm-Leach-Bliley, or under industry self-regulation, such as the CPI rules. The recent adoption of breach notification rules in various jurisdictions around the globe further complicates data breach response. Furthermore, the majority of the organizations represented by this survey have not acquired cyber insurance as a tool for managing the risks associated with data breach. This statistic may change as companies consider the SEC’s recent recommendation that companies disclose in their SEC filings both: 1) the particular data security risks that their organization faces; and 2) the insurance they have in place to address that risk.

The article examines the prosecution and conviction of Raj Rajaratnam, Galleon Group's co-founder, for insider trading -- a significant conviction due to the novel use of wiretap evidence to bring the crime to life before the jury. New and Malek explore the history of wiretapping, limitations on the use of wiretaps and the effects that prosecutors' newly aggressive use of wiretaps will have on the practices of the financial services sector.

"The government's recordings have ensnared not just traders and financiers but also officers and directors of public companies, lawyers, and consultants. As a result," the authors explain, "Wall Street may now be wondering 'is law enforcement listening?' whenever they pick up the phone, as U.S. Attorney Preet Bharara warned in announcing the arrest of Mr. Rajaratnam."

Wiretaps and Financial Crimes

Historically, law enforcement has used wiretaps to assist in investigations of narcotics trafficking and organized crime. "Nevertheless, the Galleon case reflects a recent coordinated effort by law enforcement to use electronic surveillance and 'organized crime' style approaches more frequently in white collar cases."

Limitations

New and Malek examine the limitations and conditions of wiretap use. "The government can only seek a wiretap if there is probable cause to believe that a predicate offense is being committed, and a court may suppress a wiretap if the application fails to meet this standard or for government misconduct. The number of crimes that may be investigated using wiretaps has expanded over time, but still does not include securities fraud."

Implications

"The authors analyze electronic surveillance in the Galleon case, and what this will mean for corporate America going forward. Although electronic surveillance of the financial sector may not become routine, its dramatic use in the Galleon and expert networking investigations has highlighted the need for effective and comprehensive compliance programs to identify and address questionable practices before they become widespread. With the government having publicly declared its policy of aggressively pursuing cases of financial fraud, companies are well-advised to take this opportunity to review and update their internal policies and procedures currently in place, to retrain their employees on best practices, and establish a culture in which employees seek advice on actions that may be close to the line.... Compliance officers and IROs [investment relations officers] who seize this opportunity stand a greater chance of preventing or detecting early even an inadvertent improper disclosure of material nonpublic information, which not only protects the company and its insiders from criminal prosecution, but also benefits the investing public."

“Organizations and businesses that run websites aimed at UK consumers are being given up to 12 months to ‘get their house in order’ before enforcement of the new EU cookies law begins,” United Kingdom Information Commissioner Christopher Graham said in a May 25 statement announcing the release of New Guidance on how it will enforce the EU cookies Law.  

The ICO's New Guidance warns that organizations should not wait until May of next year before starting to bring their practices in line with the requirements of the EU Cookie Law, but should begin developing a compliance plan and implementing that plan now. 

While it is possible that other jurisdictions in the EU will commence enforcement of the EU Cookie Law before May of 2012, the UK appears to be the most advanced in developing an enforcement program at this time.

And while European-based web sites fear they will bear the brunt of enforcement, U.S.-based website with users in Europe are potentially subject to these rules.

Website operators install cookies (small digital files) on user’s computers to store and retrieve information on a user's activity on the site.  Cookies are an important tool for measuring the appeal of content, improving user services and targeting advertising.   Traditionally, website operators have disclosed their use of cookies on their website privacy policy.  Users were deemed to consent to having cookies installed on their computer in accordance with this posted policy.   As the UK Information Commissioners Office (“ICO”) has explained in recently-issued Guidance, this passive consent is no longer generally permitted under the new EU rules.  With certain limited exceptions, a user must affirmatively “opt in” to accepting cookies before a website can install cookies (or any similar file) on a user’s computer.

The potential fines for violation of the EU cookies rule are high – up to £500,000 in the UK – but it is unclear whether or when EU authorities will commence enforcement of this new rule.  The ICO has said it will delay enforcement to give website operators the time to adjust their practices.  The ICO has also held out the possibility that the ultimate solution will be more advanced web browser technology.  The ICO advocates widespread adoption of web browsers that give users more control over the types of cookies that they allow to be placed on their computer.  But until this technological solution arrives, website operators with users in Europe must confront the question of how and how soon they will bring their sites into compliance with the EU directive.

President Obama has blocked the release of photos and videos of bin Laden's death, citing concerns about inciting retaliatory attacks. 

Hackers are e-mailing a password-stealing Trojan horse program called Banload to victims, and spamming victims with links to fake "Osama dead" news articles that launch Web-based attacks on visitors.  Hackers have also used a technique called search engine poisoning to try to trick search engines into listing hacked Web pages that are loaded with malware in their search results. "It's unlikely you'll find pictures or videos of Bin Laden's death online -- but searching for one will certainly take you to sites with malware," wrote F-Secure chief research officer Mikko Hyponnen in a blog post.

The FBI warned Internet users to watch out for fake messages on social network sites and to never download software in order to view a video. "Read e-mails you receive carefully. Fraudulent messages often feature misspellings, poor grammar, and non-standard English," the FBI warning stated.

Feel free to pass on this warning to your friends and colleagues.