Written by Keenan W. Ng
An interesting opinion in Alexander v. FedEx came out of the Ninth Circuit on Wednesday holding that FedEx drivers and delivery people were improperly classified as independent contractors instead of employees because of the level of control that FedEx maintains over those drivers. I find the opinion “interesting” because I never would have thought the people driving in the FedEx branded trucks, FedEx branded uniforms, using FedEx technology, delivering packages to FedEx customers in areas designated by FedEx, on FedEx’s schedule, would have been classified as anything other than an employee.
In the case, FedEx’s counsel argued that its drivers were properly classified as independent contractors because of the entrepreneurial opportunities their drivers had as FedEx workers, pointing to the fact that the drivers could hire third parties – so long as they were approved by FedEx – and that FedEx classified them as independent contractors. Essentially, FedEx argues that its drivers are independent contractors under the law because FedEx classifies them as such.
Writing for the majority, Judge Fletched dismantled FedEx’s arguments, holding that under the California right-to-control test, the contract between FedEx and the drivers grants FedEx a broad right to control the manner in which drivers’ perform their work. This is the most important factor in the right-to-control test. See S.G. Borello & Sons, Inc. v. Department of Industrial Relations, 769 P.2d 399, 404 (Cal.1989). The court noted that FedEx controls virtually every aspect of the drivers’ job: including uniform, grooming habits, appearance of their truck, the specifications of the truck, who the drivers can hire, “suggests” routes for the drivers to take, generally dictates their schedules, trains their drivers, as well as a variety of other matters. To the court, this misclassification did not even appear close.
It is not a long read, so I highly recommend it. And, for those who have a habit of misquoting law, and presenting evidence out of context, I highly recommend you read the first few paragraphs of the concurrence.
Friday, August 29, 2014
Tuesday, August 19, 2014
Federal Judge Rules Against NCAA In Antitrust Lawsuit
Written by Wendy L. Hillger and Keenan W. Ng
It has been a little over a week since U.S. District Judge Claudia Wilken of the Northern District of California issued her August 8, 2014 landmark ruling against the National Collegiate Athletic Association (“NCAA”) in O’Bannon v. NCAA. While it is too early to know the ramifications of the ruling (the NCAA has already stated it will appeal), the opinion has roundly been seen as favorable for collegiate athletes.
How The Challenge Started
The road to get to this ruling did not start with the lead plaintiff, former UCLA basketball star, Ed O’Bannon, simply filing suit. Rather, Mr. O’Bannon stood on the accomplishments of an evolution in public opinion and challenges that chipped away at the NCAA’s “defense of amateurism”.
The challenge to NCAA’s reign was, in part, started by the very man who helped commercialize college sports, Sonny Vaccaro. After spending decades building endorsement relationships between shoe companies such as Nike, Adidas, and Reebok, with universities all over the country, Mr. Vaccaro eventually soured on what he saw as colleges taking advantage of athletes. While universities and the NCAA were making money hand-over-fist from merchandising, television rights, and other endorsement deals, they were withholding those revenues from the athletes (called “student-athletes” by the NCAA for the purposes of avoiding paying workers compensation insurance), suggesting that these athletes were playing as students and amateurs, not professionals, and thus not entitled to that money.
In 2001, in front of the Knight Commission on Intercollegiate Athletics, Mr. Vaccaro addressed a panel of his detractors, many of them administrators of universities:
“Why,” asked Bryce Jordan, the president emeritus of Penn State,
“should a university be an advertising medium for your industry?”
Vaccaro did not blink. “They shouldn’t, sir,” he replied. “You sold your
souls, and you’re going to continue selling them. You can be very moral
and righteous in asking me that question, sir,” Vaccaro added with
irrepressible good cheer, “but there’s not one of you in this room that’s
going to turn down any of our money. You’re going to take it. I can only
offer it.”
That quote came from a seminal 2011 article in the Atlantic that broke open the public’s opinion about the NCAA’s “amateurism” model and questions began to follow.
Since then, doubts and direct challenges began to mount against the NCAA. Earlier this year, football players at Northwestern University won the right to vote to form a union. National Labor Relations Board Region 13 director, Peter Sung Ohr, issued an opinion stating that the football players were “employees” of Northwestern.
In March 2014, sports labor attorney Jeffrey Kessler filed a lawsuit against the NCAA and five conferences arguing that the practice of limiting athlete compensation to simply tuition, room, board, and books is below what they might normally be able to get if universities were not restricted by NCAA rules. Calling the NCAA and the conferences a “cartel” the lawsuit does not seek damages, only asking for a permanent injunction ending the practice.
Feeling the heat, the NCAA has proposed common-sense changes to help ease its public relations problem. In April 2014, the NCAA proposed allowing athletes unlimited food provided by their university. Soon, athletes will not get in trouble for eating too much pasta at their graduation banquets.
On the eve of Judge Wilken’s opinion, the NCAA issued new rules allowing greater flexibility for the “power conferences” – the Pac 12, SEC, Big 12, Big Ten, and ACC – within 11 “areas of autonomy.”
O’Bannon v. NCAA
The centerpiece to the challenge of the NCAA has been O’Bannon v. NCAA. In 2009, Mr. O'Bannon and 19 other putative class members filed a class action lawsuit against the NCAA. The O'Bannon lawsuit sought a share of the money received from the NCAA as a result of the usage of the college athletes' names, images and likenesses ("NIL"). This includes broadcasting the games on television, jersey sales and licensing for videogames. The lawsuit sought treble damages, disgorgement of profits for the NCAA's use and sale of the class members' images, declaratory relief and an injunction against future misuse, among other remedies.
During a 3-week trial in June 2014, former players testified that due to rigorous practice and playing schedules they have no time to participate in school above the minimum necessary to maintain eligibility to play. The NCAA argued the restrictions on athlete compensation were necessary for four reasons: to preserve its tradition of amateurism, maintain competitive balance among small and power conference teams, promote the integration of academics and athletics, and increase the total output.
Judge Wilken rejected these claims, and in her 99 page decision, ruled that the NCAA violated federal antitrust laws by colluding with its member schools to restrain the schools’ ability to compensate their football and basketball athletes for more than the NCAA’s rules currently allow for. This includes restrictions against giving student-athletes a share of the revenues earned when their NIL were used.
The Court ruled that each player whose NIL is used shall receive not less than $5,000, per year they compete. This money will go into a trust until the player leaves school. In addition, each school may also now pay the full cost for an athlete to attend that school, if it wants to. The NCAA currently prohibits student athletes from receiving any compensation beyond scholarships covering their tuition, fees, room and board, and books. This restriction lead to players being "paid" (allegedly) by school boosters in order to have spending money, as the players did not have time to work part-time jobs for money and many came from families unable to financially contribute much.
Beyond O’Bannon
Judge Wilken’s ruling strikes at the heart of the NCAA’s amateurism argument that has allowed the organization and its member schools to profit for so long. Given the number of suits and actions currently being taken against the NCAA, as well as the access to media that many people, such as a current and former athletes now have, the current existence of college sports may be very different five or ten years from now. Athletes who attend universities could now be monetarily compensated for their work on behalf of their schools; medical benefits could extend to athletes beyond their playing days; athletes could be eligible for workers compensation like any other university employee; and schools could guarantee scholarships to athletes until they graduate regardless of injury or on-field performance. If the Northwestern labor opinion holds up, it will allow athletes to organize for even greater benefits and treatment. The Wilken opinion is not the final word in this extraordinary saga – indeed, both parties will appeal it. But, it certainly lays down the gauntlet and blazes a path for future athletes to follow.
It has been a little over a week since U.S. District Judge Claudia Wilken of the Northern District of California issued her August 8, 2014 landmark ruling against the National Collegiate Athletic Association (“NCAA”) in O’Bannon v. NCAA. While it is too early to know the ramifications of the ruling (the NCAA has already stated it will appeal), the opinion has roundly been seen as favorable for collegiate athletes.
How The Challenge Started
The road to get to this ruling did not start with the lead plaintiff, former UCLA basketball star, Ed O’Bannon, simply filing suit. Rather, Mr. O’Bannon stood on the accomplishments of an evolution in public opinion and challenges that chipped away at the NCAA’s “defense of amateurism”.
The challenge to NCAA’s reign was, in part, started by the very man who helped commercialize college sports, Sonny Vaccaro. After spending decades building endorsement relationships between shoe companies such as Nike, Adidas, and Reebok, with universities all over the country, Mr. Vaccaro eventually soured on what he saw as colleges taking advantage of athletes. While universities and the NCAA were making money hand-over-fist from merchandising, television rights, and other endorsement deals, they were withholding those revenues from the athletes (called “student-athletes” by the NCAA for the purposes of avoiding paying workers compensation insurance), suggesting that these athletes were playing as students and amateurs, not professionals, and thus not entitled to that money.
In 2001, in front of the Knight Commission on Intercollegiate Athletics, Mr. Vaccaro addressed a panel of his detractors, many of them administrators of universities:
“Why,” asked Bryce Jordan, the president emeritus of Penn State,
“should a university be an advertising medium for your industry?”
Vaccaro did not blink. “They shouldn’t, sir,” he replied. “You sold your
souls, and you’re going to continue selling them. You can be very moral
and righteous in asking me that question, sir,” Vaccaro added with
irrepressible good cheer, “but there’s not one of you in this room that’s
going to turn down any of our money. You’re going to take it. I can only
offer it.”
That quote came from a seminal 2011 article in the Atlantic that broke open the public’s opinion about the NCAA’s “amateurism” model and questions began to follow.
Since then, doubts and direct challenges began to mount against the NCAA. Earlier this year, football players at Northwestern University won the right to vote to form a union. National Labor Relations Board Region 13 director, Peter Sung Ohr, issued an opinion stating that the football players were “employees” of Northwestern.
In March 2014, sports labor attorney Jeffrey Kessler filed a lawsuit against the NCAA and five conferences arguing that the practice of limiting athlete compensation to simply tuition, room, board, and books is below what they might normally be able to get if universities were not restricted by NCAA rules. Calling the NCAA and the conferences a “cartel” the lawsuit does not seek damages, only asking for a permanent injunction ending the practice.
Feeling the heat, the NCAA has proposed common-sense changes to help ease its public relations problem. In April 2014, the NCAA proposed allowing athletes unlimited food provided by their university. Soon, athletes will not get in trouble for eating too much pasta at their graduation banquets.
On the eve of Judge Wilken’s opinion, the NCAA issued new rules allowing greater flexibility for the “power conferences” – the Pac 12, SEC, Big 12, Big Ten, and ACC – within 11 “areas of autonomy.”
O’Bannon v. NCAA
The centerpiece to the challenge of the NCAA has been O’Bannon v. NCAA. In 2009, Mr. O'Bannon and 19 other putative class members filed a class action lawsuit against the NCAA. The O'Bannon lawsuit sought a share of the money received from the NCAA as a result of the usage of the college athletes' names, images and likenesses ("NIL"). This includes broadcasting the games on television, jersey sales and licensing for videogames. The lawsuit sought treble damages, disgorgement of profits for the NCAA's use and sale of the class members' images, declaratory relief and an injunction against future misuse, among other remedies.
During a 3-week trial in June 2014, former players testified that due to rigorous practice and playing schedules they have no time to participate in school above the minimum necessary to maintain eligibility to play. The NCAA argued the restrictions on athlete compensation were necessary for four reasons: to preserve its tradition of amateurism, maintain competitive balance among small and power conference teams, promote the integration of academics and athletics, and increase the total output.
Judge Wilken rejected these claims, and in her 99 page decision, ruled that the NCAA violated federal antitrust laws by colluding with its member schools to restrain the schools’ ability to compensate their football and basketball athletes for more than the NCAA’s rules currently allow for. This includes restrictions against giving student-athletes a share of the revenues earned when their NIL were used.
The Court ruled that each player whose NIL is used shall receive not less than $5,000, per year they compete. This money will go into a trust until the player leaves school. In addition, each school may also now pay the full cost for an athlete to attend that school, if it wants to. The NCAA currently prohibits student athletes from receiving any compensation beyond scholarships covering their tuition, fees, room and board, and books. This restriction lead to players being "paid" (allegedly) by school boosters in order to have spending money, as the players did not have time to work part-time jobs for money and many came from families unable to financially contribute much.
Beyond O’Bannon
Judge Wilken’s ruling strikes at the heart of the NCAA’s amateurism argument that has allowed the organization and its member schools to profit for so long. Given the number of suits and actions currently being taken against the NCAA, as well as the access to media that many people, such as a current and former athletes now have, the current existence of college sports may be very different five or ten years from now. Athletes who attend universities could now be monetarily compensated for their work on behalf of their schools; medical benefits could extend to athletes beyond their playing days; athletes could be eligible for workers compensation like any other university employee; and schools could guarantee scholarships to athletes until they graduate regardless of injury or on-field performance. If the Northwestern labor opinion holds up, it will allow athletes to organize for even greater benefits and treatment. The Wilken opinion is not the final word in this extraordinary saga – indeed, both parties will appeal it. But, it certainly lays down the gauntlet and blazes a path for future athletes to follow.
Tuesday, August 5, 2014
S.D.N.Y. Affirms Order To Microsoft To Hand Over Data Stored Overseas Pursuant To A Stored Communications Act Warrant
Written by Keenan W. Ng
On Thursday, July 31, 2014, Microsoft lost a challenge to an April 25, 2014 order denying its motion to quash a subpoena issued by the federal government pursuant to the Stored Communications Act (“SCA”) for email communications located on Microsoft servers in the Ireland. Issuing her ruling from the bench, U.S. District Judge Loretta Preska stated that “Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States … As [Magistrate Judge James Francis IV] found, it is a question of control, not a question of the location of that information.”
Luckily for Microsoft, Judge Preska stayed the implementation of her ruling so that Microsoft could appeal to the Second Circuit. While we wait for that to occur, it might be worthwhile to go back and examine what Judge Francis’ April 25, 2014 Order said.
The April 25, 2014 Order Denying Microsoft’s Motion to Quash
Background
On December 4, 2013, Judge Francis issued a warrant pursuant to section 2703(a) of the SCA. The SCA authorizes the search and seizure of information associated with a specific web based e-mail account.
In response to this warrant, Microsoft’s Global Criminal Compliance (“GCC”) team took action. When the GCC receives a warrant, it determines where the data for the account target is stored. The GCC can retrieve this information remotely no matter where the data is located.
Microsoft stores emails sent and received by its users in its datacenters, stored at various locations in the United States and abroad. Because of “network latency” (the concept that the closer the user is to where their data is stored, the more quickly the user can access that data) where a user’s information is stored is based upon the “country code” the user enters at registration.
Upon review of the court’s December 4 warrant, the GCC determined that some information associated with the target account was located in Ireland. Because this information was stored outside of the United States, Microsoft filed a motion to quash, arguing that federal courts do not have authority to issue warrants for the search and seizure of property outside the United States.
In reviewing Microsoft’s motion, the court considered whether United States law enforcement agents could obtain digital information from Microsoft that is stored abroad. After analyzing (1) the statutory language of the SCA; (2) the structure of the SCA; and (3) the legislative history of the SCA, the court denied Microsoft’s motion.
Statutory Language
The relevant part of the SCA states:
A governmental entity may require the disclosure by a provider of
electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant
issued using the procedures described in the Federal Rules of Criminal
Procedure … by a court of competent jurisdiction. (Emphasis added.)
The key ambiguous language of this statute are the words “using the procedures described in the Federal Rules of Criminal Procedure,” referring to Fed. R. Crim. P. 41. Microsoft argued that all aspects of Rule 41 are incorporated by reference into the SCA, including limitations on the territorial reach of SCA warrants. The court did not believe this interpretation was so clean cut, suggesting that while procedural aspects of the application process are to be drawn from Rule 41, more substantive rules were derived from other sources. As such, the court found that statutory language was not helpful to its analysis.
Structure of the SCA
The court next looked at the structure of the SCA. Through the SCA, Congress placed limitations on a service providers’ ability to disclose information. This not only addressed the fact that there were no constitutional limits on an ISP’s disclosure of its customer’s data (thus typing up a loophole in the Fourth Amendment), but also created a higher standard of showing for the government to obtain the information as a subpoena, as opposed to a warrant, does not require a showing of probable cause.
Curiously, a warrant issued pursuant to the SCA is a hybrid warrant-subpoena: it is obtained like a search warrant upon a showing of probable cause, however it is executed like a subpoena in that it is served on the ISP but does not involve government agents entering the premises of the service provider to search its servers and seize the target e-mails.
Because the warrant’s execution, the court found that the principles of extraterritoriality did not apply to SCA warrant which should be treated like subpoena. In particular, the court noted that a subpoena required the recipient to produce information in its possession, custody, or control regardless of where that information is located in the United States or not. As such, Microsoft was required to produce the data stored in Ireland because the information was in their control.
In addition, the court cited Professor Orin S. Kerr, who stated that in the context of digital information, a “search” occurs when the information is viewed on a computer screen as opposed to when it is copied to a hard drive or processed by computer. In the instance of an SCA warrant, the federal agents’ “search” of Microsoft emails would take place in the United States, and therefore no extraterritorial search would occur.
Legislative History
With respect to (“scant”) legislative history, the court determined that “Congress anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.” This further supported the proposition that Microsoft could not avoid producing information stored internationally.
Practical Considerations
In addition, the court also reviewed a few practical considerations for why territorial restrictions on conventional warrants should not apply to SCA warrants. First, because an ISP is not obligated to verify the information provided by its users, a party intending to engage in criminal activity could simply state to his internet service provider that he is a resident outside of the United States and then evade an SCA warrant.
Second, if an SCA warrant were treated like a conventional search warrant, it would have to be executed abroad pursuant only to the Mutual Legal Assistance Treaty (“MLAT”). However, given that the MLAT does not apply to countries that are not part of the treaty, and that for member countries, adherence to the MLAT is optional, reliance on the MLAT to implement the SCA could prove burdensome.
In light of the above factors, the court denied Microsoft’s motion to quash and ordered the company to comply with the government’s SCA warrant.
Going Forward
If the Second Circuit affirms Judge Preska’s ruling, it could have troubling effects for technology firms as well as companies that store information on the cloud. This interpretation of the power of the SCA is a way for the government to circumvent channels that the principles of extraterritoriality previously denied. In addition, what would such a ruling mean for foreign citizens who use Gmail, Amazon, DropBox, and other such cloud-based applications? Although not normally subject to an American court’s jurisdiction normally, a foreign person’s data might now be fair game because of an SCA warrant.
Of course, there is an easy way for firms to protect their user’s data in the face of an SCA warrant: client-side encryption. Because the user has the keys to decrypt their data, it prevents ISPs from handing over usable data with out the permission of the user. While this may protect foreign users, users in the United States can be compelled to decrypt their data. In any event, while the S.D.N.Y.’s ruling may conjure troubling implications, practically speaking, it seems that industry has already developed a hack around the SCA to guard against their revealing user data.
On Thursday, July 31, 2014, Microsoft lost a challenge to an April 25, 2014 order denying its motion to quash a subpoena issued by the federal government pursuant to the Stored Communications Act (“SCA”) for email communications located on Microsoft servers in the Ireland. Issuing her ruling from the bench, U.S. District Judge Loretta Preska stated that “Congress intended in this statute for ISPs to produce information under their control, albeit stored abroad, to law enforcement in the United States … As [Magistrate Judge James Francis IV] found, it is a question of control, not a question of the location of that information.”
Luckily for Microsoft, Judge Preska stayed the implementation of her ruling so that Microsoft could appeal to the Second Circuit. While we wait for that to occur, it might be worthwhile to go back and examine what Judge Francis’ April 25, 2014 Order said.
The April 25, 2014 Order Denying Microsoft’s Motion to Quash
Background
On December 4, 2013, Judge Francis issued a warrant pursuant to section 2703(a) of the SCA. The SCA authorizes the search and seizure of information associated with a specific web based e-mail account.
In response to this warrant, Microsoft’s Global Criminal Compliance (“GCC”) team took action. When the GCC receives a warrant, it determines where the data for the account target is stored. The GCC can retrieve this information remotely no matter where the data is located.
Microsoft stores emails sent and received by its users in its datacenters, stored at various locations in the United States and abroad. Because of “network latency” (the concept that the closer the user is to where their data is stored, the more quickly the user can access that data) where a user’s information is stored is based upon the “country code” the user enters at registration.
Upon review of the court’s December 4 warrant, the GCC determined that some information associated with the target account was located in Ireland. Because this information was stored outside of the United States, Microsoft filed a motion to quash, arguing that federal courts do not have authority to issue warrants for the search and seizure of property outside the United States.
In reviewing Microsoft’s motion, the court considered whether United States law enforcement agents could obtain digital information from Microsoft that is stored abroad. After analyzing (1) the statutory language of the SCA; (2) the structure of the SCA; and (3) the legislative history of the SCA, the court denied Microsoft’s motion.
Statutory Language
The relevant part of the SCA states:
A governmental entity may require the disclosure by a provider of
electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant
issued using the procedures described in the Federal Rules of Criminal
Procedure … by a court of competent jurisdiction. (Emphasis added.)
The key ambiguous language of this statute are the words “using the procedures described in the Federal Rules of Criminal Procedure,” referring to Fed. R. Crim. P. 41. Microsoft argued that all aspects of Rule 41 are incorporated by reference into the SCA, including limitations on the territorial reach of SCA warrants. The court did not believe this interpretation was so clean cut, suggesting that while procedural aspects of the application process are to be drawn from Rule 41, more substantive rules were derived from other sources. As such, the court found that statutory language was not helpful to its analysis.
Structure of the SCA
The court next looked at the structure of the SCA. Through the SCA, Congress placed limitations on a service providers’ ability to disclose information. This not only addressed the fact that there were no constitutional limits on an ISP’s disclosure of its customer’s data (thus typing up a loophole in the Fourth Amendment), but also created a higher standard of showing for the government to obtain the information as a subpoena, as opposed to a warrant, does not require a showing of probable cause.
Curiously, a warrant issued pursuant to the SCA is a hybrid warrant-subpoena: it is obtained like a search warrant upon a showing of probable cause, however it is executed like a subpoena in that it is served on the ISP but does not involve government agents entering the premises of the service provider to search its servers and seize the target e-mails.
Because the warrant’s execution, the court found that the principles of extraterritoriality did not apply to SCA warrant which should be treated like subpoena. In particular, the court noted that a subpoena required the recipient to produce information in its possession, custody, or control regardless of where that information is located in the United States or not. As such, Microsoft was required to produce the data stored in Ireland because the information was in their control.
In addition, the court cited Professor Orin S. Kerr, who stated that in the context of digital information, a “search” occurs when the information is viewed on a computer screen as opposed to when it is copied to a hard drive or processed by computer. In the instance of an SCA warrant, the federal agents’ “search” of Microsoft emails would take place in the United States, and therefore no extraterritorial search would occur.
Legislative History
With respect to (“scant”) legislative history, the court determined that “Congress anticipated that an ISP located in the United States would be obligated to respond to a warrant issued pursuant to section 2703(a) by producing information within its control, regardless of where that information was stored.” This further supported the proposition that Microsoft could not avoid producing information stored internationally.
Practical Considerations
In addition, the court also reviewed a few practical considerations for why territorial restrictions on conventional warrants should not apply to SCA warrants. First, because an ISP is not obligated to verify the information provided by its users, a party intending to engage in criminal activity could simply state to his internet service provider that he is a resident outside of the United States and then evade an SCA warrant.
Second, if an SCA warrant were treated like a conventional search warrant, it would have to be executed abroad pursuant only to the Mutual Legal Assistance Treaty (“MLAT”). However, given that the MLAT does not apply to countries that are not part of the treaty, and that for member countries, adherence to the MLAT is optional, reliance on the MLAT to implement the SCA could prove burdensome.
In light of the above factors, the court denied Microsoft’s motion to quash and ordered the company to comply with the government’s SCA warrant.
Going Forward
If the Second Circuit affirms Judge Preska’s ruling, it could have troubling effects for technology firms as well as companies that store information on the cloud. This interpretation of the power of the SCA is a way for the government to circumvent channels that the principles of extraterritoriality previously denied. In addition, what would such a ruling mean for foreign citizens who use Gmail, Amazon, DropBox, and other such cloud-based applications? Although not normally subject to an American court’s jurisdiction normally, a foreign person’s data might now be fair game because of an SCA warrant.
Of course, there is an easy way for firms to protect their user’s data in the face of an SCA warrant: client-side encryption. Because the user has the keys to decrypt their data, it prevents ISPs from handing over usable data with out the permission of the user. While this may protect foreign users, users in the United States can be compelled to decrypt their data. In any event, while the S.D.N.Y.’s ruling may conjure troubling implications, practically speaking, it seems that industry has already developed a hack around the SCA to guard against their revealing user data.
Friday, August 1, 2014
NSF Funds New UCLA Cybersecurity Research Center and Other News
Written by Keenan W. Ng
NSF Funds New UCLA Cybersecurity Research Center
In news not necessarily related to the law, UCLA just announced that it is starting a cybersecurity research center, thanks to a grant by the National Science Foundation. The Center for Encrypted Functionalities opened on Thursday, July 31, 2014, and is funded by a five-year, $5 million grant from the NSF’s Secure and Trustworthy Cyberspace program. The center is a collaboration among researchers at UCLA, Stanford University, Columbia University, the University of Texas at Austin and Johns Hopkins University. As a proud alumnus, I am happy to hear that UCLA is taking a leading role in developing cybersecurity solutions.
NIST to Host New Cybersecurity Workshops
Of course, UCLA is not the only university with a cybersecurity program. The National Institute of Standards Technology just announced its 6th Cybersecurity Framework Workshop to be hosted the Florida Center for Cybersecurity at the University of South Florida on October 29-30, 2014. In February 2014, the NIST released it voluntary framework of best cybersecurity practices. The workshop will be a chance for the NIST to get some feedback from industry, academia, and government.
The NIST also recently announced its 7th Annual Conference on Healthcare Information Security, co-hosted withDepartment of Health and Human Services’ Office for Civil Rights. The seventh annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference will be held on September 23-24, 2014 in Washington, D.C., and will explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
NSF Funds New UCLA Cybersecurity Research Center
In news not necessarily related to the law, UCLA just announced that it is starting a cybersecurity research center, thanks to a grant by the National Science Foundation. The Center for Encrypted Functionalities opened on Thursday, July 31, 2014, and is funded by a five-year, $5 million grant from the NSF’s Secure and Trustworthy Cyberspace program. The center is a collaboration among researchers at UCLA, Stanford University, Columbia University, the University of Texas at Austin and Johns Hopkins University. As a proud alumnus, I am happy to hear that UCLA is taking a leading role in developing cybersecurity solutions.
NIST to Host New Cybersecurity Workshops
Of course, UCLA is not the only university with a cybersecurity program. The National Institute of Standards Technology just announced its 6th Cybersecurity Framework Workshop to be hosted the Florida Center for Cybersecurity at the University of South Florida on October 29-30, 2014. In February 2014, the NIST released it voluntary framework of best cybersecurity practices. The workshop will be a chance for the NIST to get some feedback from industry, academia, and government.
The NIST also recently announced its 7th Annual Conference on Healthcare Information Security, co-hosted withDepartment of Health and Human Services’ Office for Civil Rights. The seventh annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference will be held on September 23-24, 2014 in Washington, D.C., and will explore the current health information technology security landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Congressman Darrell Issa Not Happy With The Federal Trade Commission Taking Action Against LabMD For Data Security Breaches
Written by Keenan W. Ng
On Thursday, July 24, 2014, Congressman Darrell Issa (R- CA 49), Chairman of the House Oversight Committee, held a hearing on the Federal Trade Commission’s prosecution of LabMD for alleged data security breaches leading to the release of its customer’s personal data. Needless to say, Congressman Issa was not happy with the FTC.
Background of FTC v. LabMD
On August 28, 2013, the FTC filed an administrative complaint against LabMD alleging a variety of data security breaches that lead to the release of consumer information. LabMD conducts clinical laboratory tests on specimen samples from consumers and reporting test results to consumers’ health care providers.
The FTC alleged that LabMD’s data security procedures were deficient in that they:
1. did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
2. did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
3. did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
4. did not adequately train employees to safeguard personal information;
5. did not require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
6. did not maintain and update operating systems of computers and other devices on its networks; and
7. did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.
Aside from denying any wrongdoing, LabMD argued that the FTC was not forthcoming about its data security standards, so it was impossible for a business to determine whether it was compliant. For purposes of trial, in order to determine whether it was in compliance with FTC standards, LabMD moved to compel deposition testimony as to what data security standards the FTC applied to determine whether a company’s data security practices were reasonable or not. LabMD was successful in its motion. But, of course, the testimony was not helpful.
Congressman Issa Not Happy with the FTC
On June 17, 2014, Congressman Issa sent a letter to the FTC inquiring about its relationship with Tiversa, specifically with respect to the FTC’s investigation into LabMD. Congressman Issa was concerned that the Tiversa’s CEO, Robert Boback, did not provide the FTC with complete information about LabMD. Congressman Issa called the July 24 hearing in order to “understand the motivations” underlying the relationship between the FTC and Tiversa.
The fact of this hearing did not go unnoticed. In response to the called hearing, Senator John D. Rockefeller IV (D – W. VA) sent a letter to Congressman Issa explaining that he was troubled by the investigation and defending the FTC and its role in regulating data security practices. Senator Rockefeller noted that this sentiment was expressed recently by the court in FTC v. Wyndham Worldwide Corp. (though the Third Circuit recently granted a petition for an interlocutory appeal of portions of a district court opinion). Senator Rockefeller noted that the FTC’s role in ensuring data security standards is especially important in wake of the recent Target data breach and the fact that Congress has not been able to work together to pass strong data security and breach notification legislation.
The Hearing
At the hearing, the Committee invited a number of speakers to testify, including two law professors who testified as to some of the legal issues surrounding the FTC’s investigations into data security breaches; the executive director of Open Door, a non-profit organization that, like LabMD, was also contacted by Tiversa about alleged missing documents it found on P2P servers; and finally, LabMD’s CEO, Michael Daugherty. The FTC declined to testify.
Mr. Daugherty stated that Tiversa contacted him about documents that the firm allegedly found on P2P networking sites. Tiversa then offered LabMD consulting services, which LabMD declined. At that point, Tiversa informed the FTC about LabMD and the FTC began an investigation. The end result, Mr. Daugherty testified, was that LabMD had to shutter its doors because of the costs of its legal fees. (link: provide links to testimony of each person).
The FTC and its Role Regulating Data Privacy Standards
The FTC has a tough job. On the one hand, it is given great flexibility in investigating unfair business practices. Congress intended to delegate broad authority "to the [C]ommission to determine what practices were unfair," rather than "enumerating the particular practices to which [the term 'unfair'] was intended to apply... There is no limit to human inventiveness in this field. Even if all known unfair practices were specifically defined and prohibited, it would be at once necessary to begin over again." On the other hand, because of this flexibility, it hesitates to set firm boundaries to avoid trapping itself and losing that ability to adapt.
Of course, the FTC's strategy to maintain flexibility does not make it any easier on businesses because they lack certainty with respect to the standards that they must adhere to. It’s a difficult balance to maintain, but it should not be incumbent upon businesses to have guess what the FTC is thinking. Businesses should have some certainty, especially in an ever-changing technological landscape.
As Senator Rockefeller pointed out, Congress should work together to pass cybersecurity legislation, including data breach security standards, that gives businesses the tools to help them develop strong cybersecurity practices that are certain to comply with the law. Unfortunately, as Congress has left for summer recess, cybersecurity is an issue that will have to wait until September.
On Thursday, July 24, 2014, Congressman Darrell Issa (R- CA 49), Chairman of the House Oversight Committee, held a hearing on the Federal Trade Commission’s prosecution of LabMD for alleged data security breaches leading to the release of its customer’s personal data. Needless to say, Congressman Issa was not happy with the FTC.
Background of FTC v. LabMD
On August 28, 2013, the FTC filed an administrative complaint against LabMD alleging a variety of data security breaches that lead to the release of consumer information. LabMD conducts clinical laboratory tests on specimen samples from consumers and reporting test results to consumers’ health care providers.
The FTC alleged that LabMD’s data security procedures were deficient in that they:
1. did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
2. did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks;
3. did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
4. did not adequately train employees to safeguard personal information;
5. did not require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
6. did not maintain and update operating systems of computers and other devices on its networks; and
7. did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks.
Aside from denying any wrongdoing, LabMD argued that the FTC was not forthcoming about its data security standards, so it was impossible for a business to determine whether it was compliant. For purposes of trial, in order to determine whether it was in compliance with FTC standards, LabMD moved to compel deposition testimony as to what data security standards the FTC applied to determine whether a company’s data security practices were reasonable or not. LabMD was successful in its motion. But, of course, the testimony was not helpful.
Congressman Issa Not Happy with the FTC
On June 17, 2014, Congressman Issa sent a letter to the FTC inquiring about its relationship with Tiversa, specifically with respect to the FTC’s investigation into LabMD. Congressman Issa was concerned that the Tiversa’s CEO, Robert Boback, did not provide the FTC with complete information about LabMD. Congressman Issa called the July 24 hearing in order to “understand the motivations” underlying the relationship between the FTC and Tiversa.
The fact of this hearing did not go unnoticed. In response to the called hearing, Senator John D. Rockefeller IV (D – W. VA) sent a letter to Congressman Issa explaining that he was troubled by the investigation and defending the FTC and its role in regulating data security practices. Senator Rockefeller noted that this sentiment was expressed recently by the court in FTC v. Wyndham Worldwide Corp. (though the Third Circuit recently granted a petition for an interlocutory appeal of portions of a district court opinion). Senator Rockefeller noted that the FTC’s role in ensuring data security standards is especially important in wake of the recent Target data breach and the fact that Congress has not been able to work together to pass strong data security and breach notification legislation.
The Hearing
At the hearing, the Committee invited a number of speakers to testify, including two law professors who testified as to some of the legal issues surrounding the FTC’s investigations into data security breaches; the executive director of Open Door, a non-profit organization that, like LabMD, was also contacted by Tiversa about alleged missing documents it found on P2P servers; and finally, LabMD’s CEO, Michael Daugherty. The FTC declined to testify.
Mr. Daugherty stated that Tiversa contacted him about documents that the firm allegedly found on P2P networking sites. Tiversa then offered LabMD consulting services, which LabMD declined. At that point, Tiversa informed the FTC about LabMD and the FTC began an investigation. The end result, Mr. Daugherty testified, was that LabMD had to shutter its doors because of the costs of its legal fees. (link: provide links to testimony of each person).
The FTC and its Role Regulating Data Privacy Standards
The FTC has a tough job. On the one hand, it is given great flexibility in investigating unfair business practices. Congress intended to delegate broad authority "to the [C]ommission to determine what practices were unfair," rather than "enumerating the particular practices to which [the term 'unfair'] was intended to apply... There is no limit to human inventiveness in this field. Even if all known unfair practices were specifically defined and prohibited, it would be at once necessary to begin over again." On the other hand, because of this flexibility, it hesitates to set firm boundaries to avoid trapping itself and losing that ability to adapt.
Of course, the FTC's strategy to maintain flexibility does not make it any easier on businesses because they lack certainty with respect to the standards that they must adhere to. It’s a difficult balance to maintain, but it should not be incumbent upon businesses to have guess what the FTC is thinking. Businesses should have some certainty, especially in an ever-changing technological landscape.
As Senator Rockefeller pointed out, Congress should work together to pass cybersecurity legislation, including data breach security standards, that gives businesses the tools to help them develop strong cybersecurity practices that are certain to comply with the law. Unfortunately, as Congress has left for summer recess, cybersecurity is an issue that will have to wait until September.
Subscribe to:
Posts (Atom)