One of the most serious challenges facing both the public and private sectors is cybersecurity. Gus Coldebella, former Deputy General Counsel and acting General Counsel for the Department of Homeland Security, now back in private practice, addresses the role of Boards of Directors.
A few weeks ago the Supreme Court notified Congress of this year’s proposed amendments to the Federal Rules of Criminal Procedure. Without further congressional action, the new rules will become final in December 2016. Several amendments to Rule 41, which governs search and seizure warrants, have generated some opposition on the grounds that they are unconstitutional and unlawfully confer new legal powers on the government. As I explain below, however, those legal objections are not well-founded. The amendments only loosen venue requirements, removing artificial geographical constraints on the issuance of certain types of warrants. [Read More]
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit issued a landmark decision addressing a number of important issues of national sovereignty and electronic privacy. See Microsoft v. United States, No. 14-2985. The Court held that U.S. law only authorizes the government to seek disclosure of electronic communications (such as emails) stored within the territory of the United States, and that any disclosure of information stored abroad must be obtained pursuant to a Mutual Legal Assistance Treaty or the laws of the country in which the data is stored. [Read More]
A recent article in the Wall Street Journal (paywall) points out a legal issue that judges are increasingly facing as they consider class action lawsuits brought against companies that become victims of criminal hacking:
Data breaches have forced judges to wrestle with a new notions of what it means to suffer an injury. Though cyberattacks against companies can cause widespread damage, any harm to customers is often hard to quantify and tough to trace, making it difficult for them to pursue redress in the courts.
In most cases, the economic damage falls on the primary victim of the hacking, i.e., the company whose systems are breached. In addition to any embarassment, the victim must also spend resources to investigate the hacker's entry point, identify the scope of the compromise, and purge the intruder from its systems.
If the hacker actually obtains data about individuals from the victim company, the victim company may also become a target for legal action from a variety of sources, including state attorneys general, the Federal Trade Commission, and class action lawsuits brought by private parties. As the article explains, plaintiffs bringing private cases often have a hard time showing standing and damage. That's because most of the time, there's no clear indication that the hacker used any particular person's information in a way that caused actual damage.
Many of us expected the Supreme Court to clarify whether these kinds of suits can survive in Spokeo, Inc. v. Robinsthis year, but the Court dodged. So there's a good chance that the issue will be coming back up to the high court eventually.
George Washington University law professor Orin Kerr has a typically thoughtful column today on the FBI's insistence that Apple unlock the older-model iPhone used by San Bernardino shooter Syed Farook. One point he makes that seems missing from most of the coverage is this:
There's a lot of public discussion about whether the order would require Apple to create a "backdoor" into the iPhone. I think it's probably more accurate to say that this particular model phone, the iPhone 5C, has a built-in security weakness—depending on how you define the term, a kind of backdoor—already. The government's order would require Apple to exploit the potential backdoor in Apple's design. Importantly, though, Apple redesigned its phones after the iPhone 5C to close this potential backdoor. Later phones, starting with the iPhone 5S, have apparently eliminated this potential way in. As a result, the specifics of the order in the San Bernardino case probably only involve certain older iPhones.