Recent Articles in Civil Rights & Privacy Law from LexMonitor

There's A Message For Lawyers in REWORK

Thu, 11 Mar 2010 19:49:48 GMT

I am a huge fan of 37 Signals and their product line of mind-freeing, software-killing, reality-driven SOLUTIONS. There, I said it - SOLUTIONS. As lawyers, we tend to only see problems. Problems are meant to be solved, not lawyered, and sometimes we simply forget the value in achieving something. Recently I had a case in which my client was charged with a very serious crime. The certain outcome - at least it seemed so to me - was the end of his useful life. He would spend most of it in prison if the law had its way. And when prison has its way, well, nobody ever rehabs in prison, they just do time.

But somehow I was dealing with a prosecutor who had a different view of life. She thought the life we were about to grind up could be saved. That was what she decided to do. Recognizing that the law is sometimes an "ass" she came up with a SOLUTION. The kid's life will not end and he will pay a price but he will have a real chance, because we were able to look past the expected resolution and move toward something different. A solution.

I have been looking forward to 37 Signals' founders Fried and Hansson's new book - REWORK. Like that prosecutor, they have a way of coming up with stuff that is better. Stuff that works - or as they say - Reworks. We have used their Basecamp product for years, to keep clients better informed about their cases and in the loop at all hours of the day. Better than email - the messages function in Basecamp insures that your concern will get to me and my response will get back to you with the least grief possible. If you are a lawyer go check out Basecamp and think how easy life can be for you and that client. And you can post documents to the client's project for review without the grief of sending a fax or the worry of lost emails. No $6 faxes needed!

REWORK is full of great advice for all of us. Consider just this one take from the book on the truth about planning. It is guessing.

When you turn guesses into plans, you enter a danger zone. Plans let the past drive the future. They put blinders on you. “This is where we’re going because, well, that’s where we said we were going.” And that’s the problem: Plans are inconsistent with improvisation.
And you have to be able to improvise. You have to be able to pick up opportunities that come along. Sometimes you need to say, “We’re going in a new direction because that’s what makes sense today.”

We spend lots of time "planning" for trial when often it is the improvisation that settles, wins, and solves cases. I am not suggesting that we shouldn't plan for trial, but the truth is our best plans will likely leave us empty when we actually get to trial and the witnesses start testifying. The stuff you plan for may happen, but it is the understanding of the case - its facts and the law governing the facts - that will allow improvisation and solutions. The testimony you did not expect is the testimony that will sink your client's ship.

Make some time and read REWORK. We can learn to underdo the competition, ditch meaningless meetings and stop working so hard.

Collaborative Law: An Alternative Method to Resolve Divorce, Custody and Support

Thu, 11 Mar 2010 18:20:50 GMT

When I became an attorney, I never imagined that I would actually look for ways to help clients stay out of the courtroom. After all, one of the reasons the legal profession interested me was that I could argue and advocate for clients in court (an '80s child, I admittedly watched too much L.A. Law).

At any rate, since I entered private practice nearly 9 years ago, I have met with hundreds of people about their options for divorcing. It's not uncommon for someone to come in to my office for an initial consultation and tell me that they would like to divorce and resolve related issues like custody, child support and spousal support without going to court. Even with the best legal representation, litigation can be an uncertain and frightening experience. It's simply not the right choice for everyone or every family. I wanted to be able to provide an option to those clients who are weary of litigation and believe they can work out a solution without the need for court intervention. For that reason, I recently became trained to practice the collaborative method, or what's familiarly called "Collaborative Law".

The hallmark of a collaborative case is a Participation Agreement, which is a written agreement where both parties commit to resolve the matter outside of court. Each client has his or her own attorney to help them through the process, providing advice about options and creative solutions for moving forward. If necessary, a financial expert and family specialist (often a psychologist) will help the family work through asset valuation or custody issues. The goal of the collaborative model is to reduce the conflict within a family so that at the conclusion of the divorce, the parties can move on with their lives without some of the emotional and financial harm that can sometimes occur during the traditional litigation model.

To date, Collaborative Law is still a relatively new option for Lancaster County residents to pursue. It is my hope that by educating clients and other professionals including, attorneys, financial experts and family therapists, Collaborative Law will offer an additional option clients can utilize to reach constructive agreements about the dissolution of their marriage.

In the next few weeks I will be posting additional articles covering Collaborative Law in more detail.

charonqc

Thu, 11 Mar 2010 17:34:13 GMT

I was fortunate in having an old Punch cartoon print to scan and use as a base – when the question of the debates between the three party leaders, soon to be shown on television, popped into my fevered brain. Do I really want to watch and listen to Brown, Cameron and Clegg talk at me for half an hour each, with no clapping, jeering, heckling or probing questioning? No… if I want that I can listen to the Chilcott Inquiry. I think it may be a crashing bore – far better the anarchy of Newsnight last night with Paxo trying to control Ed Balls, Michael Gove, some guy from the Lib-Dems and a host of rather unusual people – including one of Lord SurAlanSugarpuff’s sidekicks who has a bit part on The Apprentice in the ‘interview’ episode towards the end. Mr Clive Littman did not look entirely comfortable being on Newsnight – politics is a bit more anarchic than business! I could be wrong and he was just bored.

I will watch the debates – well, at least one of them - before taking a view – to do otherwise, of course, would be crass.
And talking about Crass… Left wing crassness was was drawn to my attention by Tom Harris MP on Twitter.

Tom Harris MP writes:

Another day, another boycott in the blogosphere

“SOME might say that, as the author of a blog that did rather well in the last two Total Politics Blog Awards, I have more to lose than others by indulging in a boycott of this year’s contest, as proposed by Though Cowards Flinch.

The boycott is being suggested as a response to Total Politics publisher Iain Dale agreeing to interview Nick Griffin for the latest issue, a decision which resulted in the resignation of Labour MP Denis MacShane from the TP board.

And of course I sympathise. And I admit I raised an eyebrow when Iain announced on his blog that the interview was happening. But I won’t take part in the boycott, for a number of reasons.

The first of those is that Griffin and his odious chums are now democratically-elected representatives of the British people. I wish it were not so, but it is. And ignoring the BNP now isn’t too far from ignoring the views of however many people voted for them. Not a particularly democratic principle, I think you’ll find. And I trust that all those who now want to boycott Total Politics also refuse to watch Question Time…… “

Tom goes on to give further reasons..and I agree. I do not like the BNP. I do not find Griffin an attractive politician. I abhor his views – but if we are to learn, reason, combat extreme right wing ideologies, fight our corner and have a real and mature democracy we have to be prepared to listen to people who think differently. Just listening to other like minded people means we tend to hear like minded things.. not for me. I am open to all viewpoints – then I can think about what is said or done and respond accordingly.

So.. I may disagree with some of Iain Dale’s viewpoints, which is hardly surprising given that he is Tory and I vote Labour - but Dale does analyse politics well, he is measured more often than not and particularly outside election fever time, he is prepared to publish interesting books/magazines and he is prepared to argue and stand his corner. I for one will look forward to his interview with Nick Griffin. I suspect that Iain Dale will ask awkward questions – and he did give readers a chance to suggest questions.

Here is the link John Halton refers to in his tweet above…

J.S. Mill on Holocaust denial

Well, sort-of. Here is Mill’s summary of the reasons for allowing open discussion of contrary opinions:

In the meantime…. since it is election time…. a bit of Labour propaganda for you in the pic above… subliminal messaging!

charonqc

Thu, 11 Mar 2010 10:32:46 GMT

Old Holborn reports….. “Nick Hogan is safely back behind bars. Not the bars which the government sought to contain him behind for failing to act as an unpaid policeman and report his customers for smoking – even when he was not on the premises to witness them to doing so – but the bars, the [...]

Old Holborn reports….. “Nick Hogan is safely back behind bars. Not the bars which the government sought to contain him behind for failing to act as an unpaid policeman and report his customers for smoking – even when he was not on the premises to witness them to doing so – but the bars, the snug, and the restaurant of his own private property, the Swan with Two Necks, in Chorley, Manchester. It was with the greatest pleasure that I was able to telephone Denise Hogan, his wife, a few minutes ago, and ask her to go and collect her husband from the Forest Bank jail in Pendlebury. The indefatigable Old Holborn had moved heaven and earth, above and beyond the call of duty, to arrive at the jail with £8,664.50p in cash, to exchange with the Custody Officer there in return for Nick Hogan’s freedom.”

An Excellent effort by the political blogosphere - and Gudio Fawkes’ extra push was noted recently by Old Holborn. Those who donated when I gave this worthwhile campaign a bit of publicity on the blog ten days ago… I’m sure it was appreciated! I gather that Emily Nomates and ToryBear covered this for GuyNEWS – video on Guido’s blog soon…

Manchester Evening News carried the full report, including a picture of Old Holborn turning up with the cash!

charonqc

Thu, 11 Mar 2010 10:18:21 GMT

Poll: City would prefer Clarke to Osborne Politics Home: City workers would prefer Ken Clarke to George Osborne as Chancellor, according to new research by PoliticsHome and City AM. Vince Cable came in third place on the City’s preference list.

Poll: City would prefer Clarke to Osborne

Politics Home: City workers would prefer Ken Clarke to George Osborne as Chancellor, according to new research by PoliticsHome and City AM. Vince Cable came in third place on the City’s preference list.

charonqc

Thu, 11 Mar 2010 07:24:21 GMT

Judges fear prisons will burst under new rules The Times reports: “Britain’s leading criminal judges warn that a shake-up of sentencing guidelines could push prison overcrowding to crisis levels. They fear that the Sentencing Council, which comes into force next month with the aim of bringing more consistency to courts, will not curb judges’ [...]

Judges fear prisons will burst under new rules

The Times reports: “Britain’s leading criminal judges warn that a shake-up of sentencing guidelines could push prison overcrowding to crisis levels. They fear that the Sentencing Council, which comes into force next month with the aim of bringing more consistency to courts, will not curb judges’ use of custody, as hoped, but actually increase it.

The Council of Circuit Judges, which represents 600 judges in England and Wales, told The Times that they would be left with no freedom to fit punishments to the specific circumstances of a case. They fear that cuts to rehabilitation programmes will leave judges with no option in some cases but to jail offenders. Judge Keith Cutler, vice-president of the Council of Circuit Judges, said that the Sentencing Council requires that judges “must follow” guidelines, rather than “take account” of them.”

Criminal Law is not my specialist subject, so I would be particularly interested to have the views of Criminal Law practitioners who read my blog on this issue. The argument is that the new guidelines will provide greater consistency. What does this ‘consistency’ really mean? Do criminals behave consistently across the country? Is burglary, for example, always the same? manslaughter? Surely not? The tabloids are always keen to pick up on judicial leniency – often railing against the judicial system without actually attending the trial to listen to the evidence, to serve up ‘anger and outrage’ to those of their readers who wander about with flaming torches in one hand and a length of rope in the other hand.

The Tories say that this is a naked attempt to reduce pressure on prison places because judges have to take account of the availability of prison places – but it seems that a possible ‘unintended consequence’ of the new principle will actually incease pressure on prison places as judges will not have the same discretion to leniency.

The Times notes: “A Ministry of Justice spokesman insisted that judges’ discretion would remain unfettered and would be respected. “There will not be an American-style sentencing grid or matrix,” he said. “Judges will still have the discretion and flexibility to give the sentence they think most appropriate. Judicial discretion in sentencing in individual cases is the cornerstone of our justice system. We are not going to change that.”

Ex-Cazenove partner found guilty of insider dealing

The FSA has notched up a success with their well broadcast policy of getting tough on insider dealing.

The Times reports: Malcolm Calvert, a former partner at Cazenove, the Queen’s stockbroker, has been convicted of insider dealing and faces up to seven years in prison. A jury at Southwark Crown Court today returned a guilty verdict for Calvert, 65, on five counts of insider dealing after 18 hours of deliberation. He was acquitted of a further seven counts…..

….

Four people have been convicted of insider dealing in the past 12 months, three of whom received immediate custodial sentences and the other a suspended sentence. Calvert’s conviction is a significant victory for the Financial Services Authority, which is bringing a series of insider-dealing prosecutions as part of a wider campaign to clamp down on financial crime. Rob Moulton, a partner at law firm Nabarro, said: “This is a big victory for the FSA, as it is their first criminal success against a “city” name. At a time when FSA is fighting for its survival, this conviction is a real boost to FSA’s credible deterrence strategy.”

The good times seem to be coming to an end… this is clear when a City lawyer remarks..”"Prosecuting financial crimes has often proved problematic, but the FSA is on something of a roll. It has said it wants to be seen as a ’scary regulator’ and this case is going to help to get that message across.”

Margaret Cole, director of enforcement and financial crime at the FSA, said: “The guilty verdict is a shot across the bow for any City workers who may be tempted to trade using insider knowledge.”

It seems that the FSA may not be as clever as they think they are….. the comments section on the story is interesting… this, being an example of the criticism..

Pat Sheehan wrote:

“How on earth can you conclude that “Calvert’s conviction is a significant victory for the Financial Services Authority”?
Surely, they simply caught a sprat while the mackerel escaped: “… they could not identify who the inside source at Cazenove was …”
It would have been a significant victory only if we could all move forward in reasonable belief that from here on Cazenove (or Caz associations) would treat our affairs confidentially.”

In the meantime…

Fraud and corruption is costing Britain £30 billion a year

Jonathan Fisher QC, writing in the Times, has an interesting piece… “It is almost 25 years since the Roskill Report published its radical recommendations for improving the way complex fraud, corruption and financial market crimes are tackled. In that time the complexity of business transactions and the amount of activity in financial markets have both increased dramatically.

Yet the many institutions that investigate and prosecute these crimes, including the Serious Fraud Office, the Financial Services Authority (FSA), the Office of Fair Trading, the Crown Prosecution Service (Fraud Prosecution Service and Revenue & Customs Division) and the City of London Police Economic Crime Directorate, remain hamstrung by a haphazardly developed system of overlapping responsibilities, a dispersion of powers and unnecessary duplication of manpower and specialist resources. As if this weren’t enough, these agencies have to operate under differing statutory frameworks, further exacerbating the problems.

The advantages of establishing a unified agency, as initially proposed by Lord Roskill and advocated again today in Fighting Fraud and Financial Crime, my report published by Policy Exchange, are even more pertinent than they were then. Important changes to the criminal law also need to be made to enable our criminal justice system to cope with complex fraud trials and to bring the perpetrators of such crimes to account……”

And, an even more depressing case…

Litany of failures that let father rape his daughters for years

The Guardian: Authorities apologise over missed warnings of incest as report reveals culture of ‘quiet word’ rather than action

Nick Holmes of Binary Law asks… Tired of blogging? – tired of life

Nick notes that while the young are not blogging so much – this may well account for the fact thst Geeklawyer doesn’t blog as much as he used to. On Twitter Geeklawyer regularly cites his age as being 28 or 29 depending on how pissed he is when he tweets! Nick also notes that he is p****d off with spammers and those who post comments like..”Great blog post… I’ve been looking for a site like this…I’ll come back@.

Nick – do what I do… re-direct their ’service’ to a dodgy porn site. I did that with a law firm, sent them an email to say that I had done this and… hey presto… I had a very apologetic email back asking me to delete their comment – most satisfying.

I have a bit of ‘fever’… so not writing as much as usual… a very tedious fever which prevents me from even drinking a ot of wine. Brighter today, though..so, hopefully, normal service will be resumed on the Rioja and writing front.

And finally…
Romanian street sign warns drivers of ‘drunk pedestrians’

The Telegraph reports: “Street signs warning Romanian drivers to be careful of drunken pedestrians lying on roads were erected by road safety chiefs worried about the “despairing” levels of accidents.”

I am fairly sure that the bottle pictured above is not Rioja.

Facebook plans to allow users to "share" location

Thu, 11 Mar 2010 00:08:12 GMT

According to the New York Times, Facebook is going to roll out full-blown location sharing in April. From the NYT's Bits Blog:

Facebook Will Allow Users to Share Location - Bits Blog - NYTimes.com
In preparation for the introduction, Facebook updated its privacy policy last November. The new policy states: “When you share your location with others or add a location to something you post, we treat that like any other content you post.”
At that time, the company also offered some foreshadowing of the new feature: “If we offer a service that supports this type of location sharing we will present you with an opt-in choice of whether you want to participate.”
Facebook has been working on a location-based tool for close to a year, but decided to wait until the product was completely ready for mainstream adoption before announcing it, said the people with knowledge of the project.

LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False

blogs@foleyhoag.com (Foley Hoag) — Wed, 10 Mar 2010 23:06:57 GMT

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft.

The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.

HR Question: Should I Be Paid For Travel Time?

chris@themckinneylawfirm.com (Christopher McKinney) — Wed, 10 Mar 2010 22:23:46 GMT

We get a high volume of basic HR-related questions here at the HR Lawyer's Blog. So many, in fact, that we are sometimes not able to respond to each and ever one of them individually as we would like. So it occurred to us that it might be a good thing to post some of these questions and answer them publicly on the site. Thus we begin the first in what we hope will be a regular series titled "HR Questions." This week's question involves application of...

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law

Wed, 10 Mar 2010 17:51:35 GMT

Since approximately 2005, the state of Nevada has had a fairly comprehensive data privacy law on its books: the Nevada Security of Personal Information Law (the “Law”). Prior to 2009, the Law imposed various requirements concerning the protection of personal information of Nevada residents, including requirements concerning security breach notice, the implementation of reasonable security measures and the destruction of records containing personal information. In 2009, the Nevada legislature materially amended the law by passing Nevada Senate Bill 227 (“SB 227” or “SB 227 Amendment”). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts. The SB 227 Amendment became effective on January 1, 2010. This article summarizes the requirements of the SB 227 Amendment, addresses various compliance issues posed by it, and discusses its “safe harbor.”

The Interplay Between the Law’s PCI Compliance and Encryption Obligations

To understand the requirements of SB 227, it is important to first understand the interplay between the PCI obligations set forth in subsection 1. and the encryption requirements of subsection 2. Significantly, it appears that a data collector that complies with PCI (as required under subsection 1. of SB 227) need not comply with the personal information encryption requirements of subsection 2. This “either/or” dynamic creates a strange compliance situation.

Subsection 1. of SB 227 provides:

1. If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Subsection 2. of SB 227 provides:

2. A data collector doing business in this State to whom subsection 1 does not apply shall not:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or

(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.
(emphasis supplied).

The current version of PCI (v 1.2.1 – July 2009 ) references encryption with respect to certain cardholder related data while stored and in transit. Section 3.4. of PCI requires companies to render a payment card’s PAN’(“Primary Account Number’”) unreadable, including through the use of strong encryption. Compliance under section 3.4 is also possible through other measures, including truncation, index tokens and pads, and “compensating controls.” Section 4.1. of PCI mandates the use of strong encryption of “cardholder data” during transmission over open or public networks. Cardholder data as defined under PCI includes PAN, Cardholder Name, Service Code, and Expiration Date as defined with respect to PCI.

However, the definition of “personal information” under the Law is much broader than “PAN” or “cardholder data” under PCI. Personal information includes information that is wholly unrelated to credit cards, including social security numbers, driver’s license numbers, identification card numbers and bank account numbers. PCI does not require encryption of these elements while transmitted electronically. Moreover, PCI does not require any personal information to be encrypted while stored. Rather, it only requires that the PAN be encrypted in storage (and even here encryption is not an absolute requirement -- PCI allows for other methods to render PANs unreadable and allows for "compensating controls"). Finally, since the encryption that happens around PCI relates to payment processing only, it does not appear that PCI-compliant companies would have to address encryption in other contexts, including for example e-mails containing personal information.

In short, PCI compliance allows an entity to avoid the obligation to encrypt personal information (except for "Cardholder Data") on data storage devices or while in transit, as required under subsection 2. of SB 227, and would appear to undermine the broader purposes of the Law. Stated differently, companies that are already PCI compliant would appear to have diminished obligations when it comes to encrypting Personal Information than those companies that are not subject to PCI.

Issues Surrounding the Law’s PCI Compliance Obligations

Nevada is the first state to incorporate the entire PCI Standard into law. The PCI Standard is an industry standard contractually imposed by the payment card networks on merchants and service providers that store, process or transmit cardholder data. In essence, the Nevada legislature has ceded its legislative authority to a group of private companies whose interests and concerns in creating and updating the standard may not be aligned with the goals of the Law. It has given PCI the weight of law, backed by attorney general enforcement and potential statutory liability, despite the fact that PCI is typically imposed in a negotiated contractual setting. As such, tying PCI to the Law raises several interesting issues and poses additional challenges:

PCI is always changing. One of the biggest problems with the PCI compliance requirement under SB 227 is that PCI is constantly being changed and updated. PCI is currently on version 1.2.1 (the fourth version in four years) and is currently soliciting comments concerning potential modifications in 2010. This makes the Law a moving target. On a certain level this makes sense – the PCI standard and good security evolves as the risks and technology changes. However, from a compliance standpoint constant vigilance is required to ensure compliance. Under the Nevada law this is especially true since non-compliance can result in an attorney general action.

PCI is ambiguous. Unfortunately the PCI standard is ambiguous as written in many sections and as applied in many circumstances. This is due in part to the one-size-fits-all nature of the standard. The problem is exacerbated, however, because there are multiple sources of interpretation, including the PCI Council, merchant banks, the card brands and qualified security assessors. Even within the PCI Council itself multiple methods of interpretation exist, including guidelines, FAQs, prioritized approaches, and email answers provided by the PCI Council provided on an ad hoc basis. Moreover there is no set interpretative hierarchy between potentially competing interpretations. For example it is not clear whether PCI Council guidance document would trump an FAQ, or the interpretation of a merchant bank.

PCI is contractual in nature. Typically a merchant will enter into a “merchant agreement” with a merchant bank or processor so it can accept credit cards. That merchant agreement will mandate that the merchant comply with PCI. If there is an ambiguity, since the merchant’s obligations are derived by contract, naturally the “best” source to resolve those ambiguities is with the merchant bank that is party to the agreement. If the merchant bank “gets it wrong” or agrees to a PCI interpretation that is not compliant, while it may have sufficed for the contractual relationship, under the Law it could result in a legal violation.

PCI is one-size-fits-all. PCI is made up of over 200 individual requirements/sub-requirements. For small businesses it may be difficult, if not impossible, to comply with (from a resource standpoint). Yet the Law does not make any exception or allowance for this. As a result, on day one many businesses (especially smaller and medium companies) are likely to be non-compliant with the Nevada law.

New independent and direct duty for service providers to comply with PCI? Typically, under the PCI regulatory scheme, service providers that store, handle or transmit cardholder only have a direct obligation to comply with PCI if they are contractually required to do so. They have no independent legal duty to comply with PCI under normal circumstances. SB 227, however, may provide a direct duty for service providers to comply with PCI. Service providers appear to fall into the definition of “data collectors” because they typically “handle, collects, disseminates or otherwise deals with nonpublic personal information.” The issue becomes whether, under subsection 1. of SB 227, a service provider storing, processing or transmitting cardholder data for another “accepts a payment card in connection with a sale of goods or services.” If the language in subsection 1. read “accepts a payment card for a sale of its goods or services,” then it would appear to be limited to merchants. However, the “in connection” language arguably extends the duty to service providers. For example, some might argue that payment gateways directly “accept” payment card numbers from customers online on behalf of merchants in connection with the merchant’s sale of goods and services.

Issues Surrounding the Law’s Encryption Obligations

The Encryption Obligations: Electronic Transmission and Data Storage Devices.

If a data collector doing business in Nevada does not have an obligation under subsection 1., then it must comply with the encryption requirements of subsection 2. SB 227 requires encryption in two areas: personal information transmitted electronically (subsection 2.(a) of SB 227) and encryption of personal information stored on certain data storage devices (subsection 2.(b) of SB 227).

A data collector doing business in Nevada, subject to exceptions discussed below, may not transfer personal information outside of its secure systems through an electronic transmission, unless encrypted. Again, a drafting quirk may pose some interesting interpretations of this obligation. By using the term “secure system” (undefined), it appears that this encryption requirement does not apply to personal information transmitted from an “insecure system.” Note that the probable intent of the “secure system” language was to eliminate the need to encrypt personal information while in transit within the internal networks of an organization (or at least that is one interpretation).

Drafting mistakes aside, SB 227 sets forth some significant exceptions to this encryption requirement. The electronic transmission encryption requirement does not apply to:

electronic voice transmissions or facsimile transmissions;

telecommunication providers conveying communications of other people; or

data transmissions over secure private communications channel for: (1) approval or processing of negotiable instruments, EFT transfers or similar payment methods; (2) issuance of reports regarding account closures due to fraud, substantial overdrafts; or (3) abuse of ATM machines or related information regarding a customer.

Data collectors must also encrypt data stored on a data storage device if the device goes beyond the logical or physical controls of the data collector or its data storage contractor. The concept of going beyond the physical controls (e.g. facilities of the data collector) is fairly clear. However, it is uncertain exactly what the intent is behind the “logical controls” reference. It could mean that if the data storage device is protected by the same “logical controls” as data storage devices that are part of the data collector’s internal networks, then encryption is not required. Or it could be tying back into the concept of secure internal environments. However, more research is necessary to ascertain how the “logical control” reference should be interpreted.

The Encryption Standard.

To comply with the Law, data collectors must use an encryption technology that renders such personal information indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data, which has been adopted by an established standards setting body, including for example, the Federal Information Process Standards published by the National Institute of Standards and Technology.

Encryption under the law also requires sound key management processes and safeguards. Specifically, data collectors must utilize appropriate management and safeguards with respect to cryptographic keys in order to protect the integrity of its encryption process. The data collector’s key management procedures and safeguards must be consistent with guidelines set forth by an established standards setting body, including for example, the National Institute of Standards and Technology.

While one might quibble with the requirement that the encryption technology render personal information indecipherable (all encryption is theoretically capable of being broken), the reference to FIPS and NIST standards provides solid guidance. However, the Law does not indicate what constitutes an “established standards setting bodies” in the event a data collector would like to use an encryption standard that is not based on FIPS or NIST.

The SB 227 Amendment’s “Safe Harbor”

While SB 227 arguably imposes significant encryption obligations on certain data collectors (at least those that are not already PCI-compliant), it also provides a “reward” for companies that meet its mandates. Subsection 3. of SB 227 provides a “safe harbor”:

3. A data collector shall not be liable for damages for a breach of the security of the system data if:
(a) The data collector is in compliance with this section; and
(b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

This “safe harbor” may provide significant protection to compliant companies that suffer a personal information breach, even beyond the Law itself. Some may argue that the safe harbor protects the organization from all damages no matter what context or theory of liability (e.g. common law negligence, contract, negligent misrepresentation, etc.). Support for this theory can be found where SB 227 references a very limited list of liabilities theories (“gross negligence and intentional misconduct”), which arguably implies that other theories of liability can be barred by the safe harbor. Moreover, since the Law itself does not explicitly provide any damage remedy against a data collector that suffers a security breach, it would appear to be referring to liability outside of the Law.

For example, assume the case of a merchant that suffered a payment card breach. It would typically have a contract in place whereby it agreed to indemnify its merchant bank in the event of a payment card breach. Under SB 227, as long as the merchant was PCI compliant at the time of the breach (and therefore compliant with subsection 1. of SB 227), it could argue that it should be immune from contractual liability. This is significant because there is no legal mechanism currently in place under PCI that provides this legal protection. Please note that this argument is far from settled and additional research and analysis is necessary in order to validate the intent of Nevada’s legislature.

Beyond its potential broad scope, the safe harbor language in SB 227 arguably creates some incongruities between SB 227 and the Law. For example, the Law requires data collectors to implement certain “reasonable” security measures around personal information, which typically include measures beyond encryption (e.g. background checks, firewalls, virus protection, security policies, etc.). However, the safe harbor applies to all security breaches as long as the data collector complied with SB 227, even if it implemented “unreasonable” (but not “grossly negligent”) security.

An illustration may assist here. Assume a data collector made a mistake in configuring its firewall, which allowed a hacker to steal one million unencrypted personal information records while in transit on the data collector’s internal systems. One might argue that this data collector violated the section of the Law requiring “reasonable security measures” by providing such access. Nonetheless, as long as the data collector complied with SB 227 by encrypting data in transit externally or in data storage devices taken off premises, and it was not grossly negligent, it appears it would not be liable for the security breach under the Law (and otherwise). In other words, with the safe harbor, the requirements of SB 227 could be argued to override more stringent requirements of the Law around security.

Conclusion

Nevada’s Security of Personal Information Law, including the SB 227 Amendment, may pose some challenges for organizations. Its scope is arguably wider than Nevada companies because it appears to apply to any business that stores or processes personal information of Nevada residents, even those without a physical presence in Nevada. It employs a one-size-fits all approach that requires either PCI compliance or encryption of data in transit or on data storage devices, regardless of feasibility, or the resources or sophistication of the company. Moreover, by incorporating the payment card industry’s data security standard directly into the law, it gives PCI “the force of law.” This may be problematic for several reasons, the least of which is that PCI is frequently amended and presents a “moving target,” and is often ambiguous as written and as applied.

However, in addition to the new obligations posed by SB 227, it may offer some benefits and protection to organizations. First, companies that are already PCI compliant do not need to go the extra step under SB 227 and encrypt personal information in transit or on data storage devices. This is true despite the fact that the encryption requirements of PCI are limited in scope. Second, SB 227 provides a safe harbor that arguably bars liability arising out personal information security breaches that were not intentional or grossly negligent. In all, it will be interesting how companies react to the Law, how it is enforced by regulators, used by litigants involved in security breach litigation, and interpreted by courts.

charonqc

Wed, 10 Mar 2010 12:19:10 GMT

Max Clifford drops News of the World phone hacking action in £1m deal The Guardian reports: “Tabloid accused of buying silence after persuading celebrity PR agent to drop case over interception of voicemail messages” The News of The World appears to be rushing to stop a flood of litigation – as the Guardian states…“The News of the [...]

Max Clifford drops News of the World phone hacking action in £1m deal

The Guardian reports: “Tabloid accused of buying silence after persuading celebrity PR agent to drop case over interception of voicemail messages”

The News of The World appears to be rushing to stop a flood of litigation – as the Guardian states…“The News of the World was tonight accused of buying silence in the phone-hacking scandal after it agreed to pay more than £1m to persuade the celebrity PR agent Max Clifford to drop his legal action over the interception of his voicemail messages. The settlement means that there will now be no disclosure of court-ordered evidence which threatened to expose the involvement of the newspaper’s journalists in a range of illegal information-gathering by private investigators.”

Of perhaps greater interest to political animals, particularly those on the Labour or left, will be the effect this has on Andy Coulson, former editor of the News of The World and currently enjoying time in the sun as the Tory Party’s Malcolm Tucker/Alastair Campbell communications supremo.

The Guardian notes: ” The case had potentially important implications for Andy Coulson, media adviser to the Conservative leader, David Cameron, who edited the News of the World at the time of the illegal activity and who has said that he does not remember any of his journalists breaking the law……..(NOTW Journos) – Goodman and Mulcaire were jailed in January 2007 for intercepting the voicemail of a total of eight victims, including Clifford and Taylor. The News of the World originally claimed that it had no knowledge of any of the illegal activity. Coulson resigned on the grounds that he carried ultimate responsibility.”

Hey ho…. but do have a look at Beau Bo D’Or take on the Max Clifford story….

I did enjoy this from Overlawyered…

From attorney Bob Ambrogi, on Twitter: “This felt wrong: Shortly after heated call with lawyer saying he’d sue my client, he sent me invite to connect on LinkedIn.” Related: Amy Alkon.

And this from John Bolch at Family Lore… “As humans, we need to evolve more” – John writes...”Nissenbaum explains how relationship breakdown brings out the worst in many people, especially where children are involved. “Every parent who has ever pushed for custody insists he or she is doing it out of love,” he says in his book. “Hate is more like it…. Parents throw everything they have at the other side, the more disgusting, horrendous and despicable, the better.” John ends…”Yep: been there, done that.”

charonqc

Wed, 10 Mar 2010 06:16:05 GMT

Civil servants ‘told to imitate answering machines’ The Guardian reports: “Civil servants who continued working during yesterday’s national strike have revealed they were told to pretend to be answering machines to cope with an overload of calls from the public. Staff at the Department for Work and Pensions in Carlisle said today they were given a [...]

Civil servants ‘told to imitate answering machines’

The Guardian reports: “Civil servants who continued working during yesterday’s national strike have revealed they were told to pretend to be answering machines to cope with an overload of calls from the public. Staff at the Department for Work and Pensions in Carlisle said today they were given a brief script to read out before hanging up, in the style found on telephone answering machines.

The instruction by managers was initially leaked on Facebook after chitchat between strikers and colleagues who had stayed at work. One worker said: “To begin with, we all found it hard to keep a straight face, and occasionally, I slipped up and I ended up giving my name to the person who was calling.”

The staff said their fake-robot message was issued for peak lunchtime, between midday and 2pm. The script read: “Due to the high volume of enquiries we are currently experiencing we are unable to take your call. Please call back later.”

I wake each morning at 4.00 (ish), more often than not looking forward to seeing what idiocy has taken place overnight in politics, so I was not surprised to read in my RSS feeder this absurd story about the civil service. I am almost tempted, as I have to telephone my local council today, to pretend to be an ‘electronic digital telephone machine’ myself and say…

“Good morning… if you would like to know why I am calling, press 1…if you would like to know if I have anything sensible to say when you do speak to me…press 2…. if you would like to do some work for your inflation proof pensioned up salary and actually do something of value for one of your clients…me…press 3″

The Times reports: City law firms are preparing to raise millions of pounds from external investors as the British legal market braces for its own version of Big Bang. At least 20 firms are planning to raise outside funding under rules that will allow non-lawyers to own a stake in legal practices for the first time, accountants advising the firms told The Times.

Three of these firms are planning to raise a war chest for acquisitions of more than £20 million, either through an initial public offering or from private equity investors. The new rules, which will come into force next year, are expected to transform the legal sector, as deregulation did financial services in the 1980s.

Jeremy Black, a partner at Deloitte, the Big Four accountant, said: “It’s going to change the way firms look at the provision of legal services. Nobody will be untouched by these changes.”

There is no doubt that change is coming and the traditional view of law as a ‘profession’ will finally cede to the values and mores of the markets… where business is business. This does not, of course, mean that lawyers will be any less professional…they will have to be even more ‘professional’ (but in a different sense) because if they go the full route and list on the stock exchange they will be subject to ’sentiment’…and sentiment can be a very hard task master.

I did like this paragraph from The Times…”Many partners remain sceptical. They argue that external funding will dilute their partnership culture and force them to give up too much control of their businesses.”

The writer forgot to add…“and too much of their profits”. It does, however, seem an attractive way of capitalising the business. Traditional law firm structures are ‘thinly capitalised’ given that partners withdraw much of the profit each year. I suspect that full flotation may take some time…and a fair bit of ‘kicking and screaming’. We shall, of course, see in time.

You may like to listen to a podcast I did for The College of Law Inside Track series with Sir Nigel Knowles, CEO of DLA Piper. Sir Nigel Knowles gave a very sanguine view of the future of the big law firms and the issue of external capital.

Bar Standards Board raps BPP Law School for taking on too many students

While I covered this some weeks ago, The Lawyer adds some interesting points about BPP’ssplans to turn themselves into a fully fledged university.

Offenders who commit ‘grave crimes’ must be named, says judge

The Telegraph reports: “A judge said the public deserved to know the identities of offenders who committed ”grave crimes” as he allowed the naming of a juvenile who killed an innocent peacemaker with a single punch.

This judicial view does not, of course (hopefully), impact on the Venables situation where issues of a fair trial preclude identification.

Jon Venables could be killed if his identity is revealed, key judge warns

The Guardian reports: “Baroness Butler-Sloss, who granted anonymity to James Bulger’s killers, defends Jack Straw’s secrecy stance”

The Sun appears not to have anything on the Venables case this morning. I suspect the bandwagon is moving on.. there are other more important stories for them t reveal to an adoring public.

It is not just the tabloids who are getting in on the ‘Shock’ act…

The Independent has this…

Paedophile ‘alarm button’ was rejected by Facebook, say police

And… if that isn’t enough to slake your taste for salacious titbits (with an intellectual spin) this morning… they have this…

Jealous lover killed ex over web photos

Getting back to a bit of hard law….

Supreme Court rejects Christian registrar’s claim

The Independent reports: ” A Christian registrar who lost her job after she refused to carry out civil partnership ceremonies has been refused permission to appeal to the Supreme Court. Ms Ladele, who became a registrar in 2002, said she could not carry out such ceremonies “as a matter of religious conscience”. She claimed she suffered ridicule and bullying as a result of her stance and said she had been harassed and discriminated against by Islington Council in north London.”

Yesterday The telegraph reported: “A pharmacist refused to issue contraceptive pills prescribed by a doctor because it was against her religion.”

Given that employers were not entitled to discriminate against these employees when taking them on for jobs where, presumably, they knew they would have to carry out lawful work which may be contrary to their religions it is puzzling why they applied for the jobs in the first place. I have little sympathy.

Professor John Flod (RATs – Random academic thoughts) has an interesting film on legal education to look at…

UKCLE’s Ideas on the Future of Legal Education

“My friend, Julian Webb, is who is director of UKCLE and professor of legal education, has put together an interesting short film about the influences on the future of legal education in the UK. I think it also informs discussion about legal education elsewhere.”

Hat Tip to John Flood for picking up this cartoon from The New Yorker

The Fat Bigot has an interesting piece on recessions…

We must avoid the Japanese problem – “Anatole Kaletsky wrote an interesting piece in the Times today highlighting the Japanese problem. In an attempt to stimulate its way out of recession in the early 1990s Japan increased government spending and borrowed to pay for it. This went on for several years and now, almost twenty years later, the cost of servicing the borrowing is so high there is no additional money available to repay the principal sums borrowed. Japan’s economy has, as a result, seen virtually no growth in GDP.”

Capitalists@Work are running with this... The end of free speech and flaming on the interne

Dan Michaluk

daniel-michaluk@hicksmorley.com (Dan Michaluk) — Wed, 10 Mar 2010 03:21:25 GMT

I posted yesterday about the provision in Ontario’s new workplace violence legislation that requires employers to disclose information about individuals who may cause physical injury to workers and my theory that it is most significant because it requires good threat assessment processes. The other provision that is getting talk is the so-called “domestic violence provision.” [...]

Come June 15th, section 32.0.4 of the OHSA will read:

If an employer becomes aware, or ought reasonably to be aware, that domestic violence that would likely expose a worker to physical injury may occur in the workplace, the employer shall take every precaution reasonable in the circumstances for the protection of the worker.

This has people asking, “What is domestic violence?”

The term “domestic violence” has caused a distraction in my view. It is dangerous because it could lead people to get tied up in a mental knot about the variety of violence associated with a threat rather than the threat itself. While I don’t mean to discount the problem of domestic violence in the workplace and the special challenges it raises, the answer to the question above does not likely affect employer duties.

This is because it is not plausible that a threat of physical injury from violence simpliciter deserves any less management than a threat of physical injury from domestic violence. The provision therefore could have read:

If an employer becomes aware, or ought reasonably to be aware, that violence that would likely expose a worker to physical injury may occur in the workplace, the employer shall take every precaution reasonable in the circumstances for the protection of the worker.

This would have been very nice language – subject to interpretation but at least clear in its intent. And if the legislature did want to signal to employers that the risk of domestic violence in the workplace is no less their responsibility to address than the risk of violence simplicter in the workplace, it could have included a deeming provision specifying that “violence” includes “domestic violence.” In my view, the duties arising from such language would have been the same as those to be confirmed by the Bill 168 provisions come June.

This brings us back to threat assessment. Distracting language aside, section 32.0.4 speaks about acting based on facts that ought reasonably be known. It signals that employers should (1) have access to the right people (who can assess a threat based on reports about individual behavior); (2) who can be provided with the right information (including all known behaviors about a threat plus information that can be gathered through reasonable threat inquires); (3) so they can assess threats and take appropriate action at the right time. These basic prescriptions go for all kinds of violence, domestic and otherwise.

Rx for Illinois Budget: Responsibility, Not Ideology

Tue, 09 Mar 2010 19:52:07 GMT

There is something almost purely ideological about opposition to the revenue reforms that knowledgeable analysts agree Illinois needs right now – not only to escape its fiscal crisis but to make its tax system more fair and sustainable.

I suppose ideological biases are fair enough among some anti-government zealots and politicians who hope to use them and lead them. But somehow one would hope for a more balanced and dispassionate approach from mainstream media, such as the Chicago Tribune.

It can only be ideology that justifies the anti-tax position by reference to taxpayers “already devastated by the recession.” In fact, under leading revenue-reform plans, many lower- and moderate-income households would pay no increased income tax or a modest increase; the lowest-income households would pay less.

But for those who’d pay a few dollars more per paycheck in income tax – is that more weighty than maintaining state-assisted care for their elderly relatives, safe roads and bridges, schools with a full complement of teachers and educational programs, or the public health programs that protect us from epidemics?

This crisis demands a balanced approach that includes significant new revenues raised in a fair way. Polling and history show that, while nobody likes to pay higher taxes, people appreciate honest leadership in a crisis and understand and support a balanced approach. We already are suffering from severe cuts; we are already borrowing; we will continue to seek as much help as possible from the federal government. But those measures are not enough. We need significant, new revenue to complete the balance and navigate out of the crisis with a sounder future in store.

What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

Tue, 09 Mar 2010 18:06:22 GMT

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.

charonqc

Tue, 09 Mar 2010 10:24:01 GMT

You have to laugh… the Tories are spending a fortune shoring up the idea that they are supporting the NHS and then the Young Britons Foundation pops up in the form of their Chief Executive, Donal Blaney – a lawyer – with talk of waterboarding, shooting down environmental protesters and another spokesman saying the NHS [...]

You have to laugh… the Tories are spending a fortune shoring up the idea that they are supporting the NHS and then the Young Britons Foundation pops up in the form of their Chief Executive, Donal Blaney – a lawyer – with talk of waterboarding, shooting down environmental protesters and another spokesman saying the NHS is the biggest waste of time in the UK.

Many Tories, deny that there is anything sinister about the YBF and I accept that we are not dealing here with a group of crypto-fascists with muscle spasm problems in their right arms – but, clearly, the views expressed by Donal Blaney are a bit ‘right of sanity’ if he is not joking about waterboarding being acceptable.

The Tories are scrambling to disassociate themselves with the YBF – but they do have a bit of a problem…according to The Guardian they appear to be outsourcing training to the YBF at a cost of ‘hundreds of pounds per person’. Of course… it is possible (and in the minds of some Tories..probably a certainty) that The Guardian is putting the boot into the YBF for ‘political reasons’.

The Guardian noted: “A spokesman for the Conservative party said people attend YBF courses of their own volition and they are not financially supported by the party.

Conservative Central Office would not comment on whether the planned YBF training courses being promoted by Conservative Future will go ahead in the light of the revelations.”

Jon Venables and the Rule of Law

Our country may, according to Cameron et al, be ‘broken’, our country may be ‘broke’, our country may be dysfunctional and populated with venal, self important, self serving and selfish people – an apocalyptic vision made manifest each day by the Sun and The Daily Mail – but, thankfully they are in the minority.

I cannot begin to imagine the pain and misery suffered by Jamie Bulger’s mother and father – few have suffered the horror of having a child murdered, far more intense arguably than accidental death or even honourable death in military service and only those who have suffered such loss, truly, can even begin to understand and empathise meaningfully. I do not, however, support the view taken by Jamie Bulger’s parents and 70,000 others who have signed The Sun’s petition that they have a right to know every detail about Jon Venables. The principle of a fair trial trumps such individual rights and misery – for otherwise we return to the law of the lynch mob and not , as former DPP Sir Ken Macdonald QC states...” (the) steely progress of a criminal case to its just conclusion, whether that is conviction or acquittal.”

There is every prospect, if Venables’ identity is revealed – that some vigilante or criminal in prison will exact ‘ extra-judicialjustice’ whether by throwing hot sugar water over Venables or worse, killing him – for the glory of being applauded as a hero by those who seek justice through the lynch mob’s rope.

I’m with Sir ken Macdonald QC on this…he writes: “None of us, of course, owns the truth in any of this. But we may suspect that, since he has been returned to jail, Jon Venables could have done something sufficiently serious to face trial in the future. And what if there are others to be tried alongside him? It is a racing certainty they will argue that any case must be abandoned if the jury has an inkling about their companion in crime. It would be a shame if a tabloid conclusion that this young man has done something awfully wrong turns out to be true and yet he can never be tried because a couple of editors were too blind to our system of justice to see how they might frustrate it.”

Today’s story for Editors eager to please and appease could well lead to far greater injustice. There was a quote on twitter yesterday to the effect… “They should have hung them when they were 10. Killing children is wrong” That, it would seem, is a very common view – but they do say that if there was ever a referendum on the death penalty in Britain – the majority would bring back the rope. I would not. Flawed though our system of justice is (and probably always will be in an imperfect society) – it is by far better than the rule of the mob.

Jon Venables: the right to know

Justice cannot be served at trial unless Jack Straw holds his nerve on unmasking Jon Venables
Sir Ken Macdonald

Dan Michaluk

daniel-michaluk@hicksmorley.com (Dan Michaluk) — Tue, 09 Mar 2010 04:52:01 GMT

Many questions have been raised about the provision in Ontario’s new workplace violence legislation that requires employers to disclose information about individuals who may cause physical injury to workers. My take on the provision is that it is meant to promote good behavioral threat assessment processes. I’ve laid out my reasoning below. The section everyone’s talking [...]

The section everyone’s talking about is section 32.05(3). It reads as follows:

(3) An employer’s duty to provide information to a worker under clause 25 (2) (a) and a supervisor’s duty to advise a worker under clause 27 (2) (a) include the duty to provide information, including personal information, related to a risk of workplace violence from a person with a history of violent behaviour if,

(a) the worker can be expected to encounter that person in the course of his or her work; and

(b) the risk of workplace violence is likely to expose the worker to physical injury.

The first question asked about this provision is, “How do we know if a person has a history of violence?” The language of the provision is strict: it does not say “known history of violence.” Does this mean that employers must be omniscient? Not likely. Health and safety legislation is typically drafted in onerous language to encourage behavior that maximizes protection for workers but, under the Charter, the government cannot preclude a due diligence defence. So the government can encourage employers to act upon knowledge of an individual’s history of violence as it has done, but can’t legislate a requirement to be omniscient if it is reasonable to protect a worker by knowing less about another individual’s history.

What is reasonable then? This is certainly a point that will be litigated, but there is a wealth of available literature on threat assessment to give employers guidance today. If I can simplify, this literature requires organizations to (1) have access to the right people (who can assess a threat based on reports about individual behavior); (2) who can be provided with the right information (including all known behaviors about a threat plus information that can be gathered through reasonable threat inquires); (3) so they can assess threats at the right time.

What about human rights and privacy concerns? Regarding human rights concerns, threat assessment is not about “profiling” an individual based on a stereotype but, rather, is about gathering facts about behavior to understand a potential threat. Performed properly, it should be defensible. Regarding privacy, threat assessment requires access to information about threats, but in my understanding the most common threat assessment failure is the failure to process known information. Employers may have a duty to gather information in the course of conducting an assessment, but the more fundamental duty is to “know what you know” by having a system in place for reporting and recording concerning behavior in the workplace, including all violent acts. This conception – know what you know and conduct threat inquires as necessary – seems to strike a fair balance between workplace health and safety and personal privacy.

The second point worth noting about this much discussed provision is that the duty to disclose is triggered when “the risk of workplace violence is likely to expose the worker to physical injury.” Compare this language to the language of the work refusal provision for workplace violence, which establishes that a worker’s refusal to work may be resolved by determining whether, “workplace violence is likely to endanger himself or herself.” An employer is required to actively manage exposure to workplace violence to ensure endangerment is not likely, but is not required to disclose personal information to other workers before physical harm is likely. The disclosure standard is therefore relatively high. One would imagine that in a significant majority of cases the risk of workplace violence will be controlled without the need to disclose. The provision seems like it is meant to protect the limited number of employees who are required to interact with individuals who pose a specific threat of physical violence but who cannot be controlled through other means due to either legal or practical restrictions (e.g. security guards, employees responsible for caring for individuals who pose a risk of violence…).

For those of you interested in reading more about threat assessment, there are some leading resources at the United States Secret Service National Threat Assessment Center. The complete text of Bill 168 is here.

COBRA Subsidy Extended Through March 31, 2010

Mon, 08 Mar 2010 20:03:39 GMT

The COBRA subsidy, originally outlined in the American Recovery and Reinvestment Act (ARRA) and subsequently extended, covered involuntary terminations through February 28, 2010. Without another extension, employees involuntarily terminated beginning March 1 would not have been eligible to receive this COBRA premium assistance.

Congress had been attempting to push back the extension one more month, but that bill was blocked by Senator Jim Bunning. However, Bunning yielded last Tuesday and the extension has now been officially pushed back until March 31, 2010. This will allow qualified individuals who are involuntarily terminated before that date to reduce their health plan costs by 65% through the subsidy. A bill called the American Workers, State and Business Relief Act of 2010 includes a provision to extend the subsidy through year-end. We will continue to monitor this ever-changing situation, so please be sure to check back.

charonqc

Mon, 08 Mar 2010 15:51:50 GMT

Jack Straw was called to the house this afternoon at 3.30 to give a statement on the recall of Jon Venables to prison. The press speculation on Venables’ return has been quite extraordinary. Straw made it clear that he had every sympathy for the the parents of James Bulger – but at the request of [...]

Dominic Grieve, Shadow Justice Secretary, stated that the Justice Secretary was entitled to support but he had to earn that support by making a clear statement about the way the justice system worked. Grieve also stated that the Justice Secretary could have avoided all the press speculation had he been more clear about how the recall system works and to explain the need for a fair trial.

For my own part – the rule of law, the principle of fair trials, is more important than individual needs, and while I can well understand the distress of James Bulger’s family, a fair trial on the new offences would be impossible, in all likelihood, if more information was given at this stage. The mood of the house was with Straw’s position and the Rule of Law – thankfully.

The press has not been that helpful here and, I suspect, the reports they have published may well have added to the distress of James Bulger’s parents. I would go further and say that the press has followed its own needs, rather than the needs of the Bulger parents.

Article 29 Working Party Provides Guidance On Data Controller/Processor Concepts

Mon, 08 Mar 2010 10:58:06 GMT

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).