This month, bite into over fifteen juicy stories. A recording of a bus driver verbally abusing a child is found inadmissible; researchers are finding ways to uncover lies and deception in electronic formats; lawyers are impacted by firm blogs and insurance risks.

LEGAL BLOGS: CAN THEY IMPACT A FIRM'S INSURABILITY?

On April 4th, Chubb Group of Insurance Companies issued a statement that provides guidelines for law firms that want to get into the business of blogging, without hurting their insurability. In sum, it's OK to post bulletins on Web logs but not to answer questions that could be construed as seeking advice. Chubb issued the clarification in the wake of publicity stirred by a March 16th New Jersey Law Journal report that the carrier refused to cover a blog proposed by a Freehold, N.J., firm, Lomurro Davison Eastman & Munoz. When partner James Paone II called Executive Risk Specialty, a unit of Chubb, he was told "this is not a risk they are interested in undertaking." Word of the denial of coverage spread like wildfire, especially - no surprise - in blogs. Chubb said it released its April 4 statement to correct "confusing media reports about the company's willingness to insure blogs." The company said that informational blogs, which are essentially

news, "pose a minimal level of risk from Chubb's underwriting perspective, but that advisory blogs, such as those in question-and-answer format, potentially establish attorney-client relationships that can lead to malpractice suits." Chubb said that its underwriters will evaluate each submission on its own merits. Chubb's position on law firm blogs may be found here.

NEW YORK: FIRST SETTLEMENT UNDER DATA BREACH LAW

On April 26 th, New York Attorney General Andrew Cuomo announced that his office had obtained the first settlement under the state's new security breach notification law. The agreement was with CS Stars LLC, a Chicago-based claims management company, to implement precautionary procedures, comply with New York's notification law in the event of another security breach, and pay $60,000 to the AG's office for investigation costs. On May 9, 2006, an employee at CS Stars noticed that a computer was missing that held personal information, including the names, addresses, and Social Security numbers of recipients of workers' compensation benefits, according to the AG's office. The New York Special Funds Conservation Committee, a not-for-profit organization created to assist in providing benefits to workers under the New York Workers' Compensation Law, was the owner of the data contained in the missing computer. However, it was not until June 29, 2006 that CS Stars first notified Special Funds of the security breach, the AG's office reported. On the same date, the company notified the FBI, as well. Approximately 540,000 New Yorkers might have been impacted. As it turned out, the FBI determined that the computer had been stolen by an employee of a cleaning contractor and recovered the machine, whose sensitive data did not appear to have been accessed. Under New York's Information Security Breach and Notification Law, any business that maintains private information which it does not own must notify the owner of the data of any security breach "immediately following discovery" of the breach. They also must notify all affected consumers in the "most expedient time possible." Further information may be found here

MAJOR ANTI-SPAM LAWSUIT FILED IN VIRGINIA

On April 26 th, a company representing Internet users in more than 100 countries filed a lawsuit in Virginia seeking the identity of individuals responsible for harvesting millions of e-mail addresses on behalf of spammers. The suit was filed in U.S. District Court in Alexandria on behalf of Project Honey Pot, a service of Unspam Technologies LLC, a Utah-based anti-spam company that consults with private companies and government agencies. This is thought to be the first anti-spam case brought by a class of Internet users not affiliated with any single Internet service provider. The company filed the suit on behalf of some 20,000 people who use its anti-spam tool. Web site owners use the project's free software to generate pages that feature unique "spam trap" e-mail addresses each time those pages are visited. The software then records the Internet address of the visitor and the date and time of the visit. Because those addresses are never used to sign up for e-mail lists, the software can help investigators draw connections between harvesters and spammers if an address generated by a spam trap or "honey pot" later receives junk e-mail. The suit filed names defendants as "John Doe," meaning that the plaintiffs will ask the court for the authority to subpoena records from ISPs to verify the identities of owners and operators of e-mail harvesters. The case was filed under the Virginia anti-spam statute, as well as a federal 2003 anti-spam law. The complaint in the case may be found here.

NEW ENGLAND BANKS SUE TJX FOR DATA BREACH

Bankers associations in Massachusetts, Maine and Connecticut announced on April 24 th that they had filed a class action lawsuit against retail giant TJX Companies for damages caused by a series of computer breaches that exposed 45.6 million credit-card accounts. The associations, which represent nearly 300 banks, paid up to $25 per card to replace credit-card and debit-card accounts considered to have been put at risk by hackers that took information from TJX's processing systems during online break-ins between July 2005 and early this year. While the fraud is not the fault of the issuing banks, they have to pay to replace any cards they deem to have been compromised by such breaches. Florida law enforcement officials confirmed that credit and debit accounts stolen from TJX's systems had been used as part of gift-card fraud schemes, racking up at least $8 million in fraudulent charges. Banks and consumers had also held the company liable for a surge in credit-card and debit-card fraud that came soon after the retailer acknowledged the breach, but because credit-card companies do not have to disclose the source of a breach, the evidence is still circumstantial. "If we are successful against TJX, the nation's major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required," Daniel Forte, president and CEO of the Massachusetts Bankers Association, said in a statement. Further information may be found here.

WISCONSIN HOLDS BUS DRIVER RECORDING INADMISSIBLE

On April 3 rd, the Wisconsin Court of Appeals overturned a lower court decision, finding that a recording made by a voice-activated recorder placed in a child's backpack by the child's parent was inadmissible as evidence against the bus driver because it was not evidence obtained by the police. Jacob Mutulo's parents became worried in 2004 that their 9-year old son, afflicted by Downs and unable to communicate normally, was being mistreated by his school bus diver. They placed a recorder in their son's backpack which recorded the bus driver yelling such things as "Stop before I beat the living hell out of you" and "I'm going to slap the hell out of you." Duchow eventually was charged with intentionally causing bodily harm to a child and with disorderly conduct. He admitted to slapping the boy twice that day. Duchow pleaded guilty to intentionally causing bodily harm to a child, but reserved his right to appeal. A majority of the Wisconsin appeals court ruled that the recording was lawfully obtained, but could not be lawfully disclosed because it was not done in cooperation with police, and reversed the lower court's ruling sending the case back to the lower court for proceedings consistent with its opinion. It is unclear why the police department didn't choose to make its own recording in the case. The opinion in State of Wisconsin v. Brian Duchow may be found here.

LIE DETECTION SOFTWARE FOR E-MAIL AND TEXTING

In the not-so-distant future, it is possible that researchers at Cornell University may create lie-detection software for e-mail and text messages. For the past three years, professors and students from several universities have coordinated with counterparts at Cornell to conduct experiments, analyze language, and compile a list of indicators of written deception. They have drawn from 40 years of research in linguistics and lies, including recent work in the context of computer media and reviews of Enron e-mails. The National Science Foundation awarded the researchers $680,000 in 2006 to develop software that would sift through text and flag messages in which the authors had lied. Passive voice, verb tense changes, and even noun or verb selection can suggest a person is lying. Researchers said another indicator of written deception is the decreased use of the word "I," which is most likely an attempt to create distance. In interactive speech, like instant messaging and some dialogues, researchers have found that liars go into a "persuasive mode" and increase the length of their message by 30% to describe and explain situations. Over the next three years, the researchers will study linguistic patterns in different situations and train software systems to evaluate communications based on content and context. They will try to train a software system to adapt to subtle differences in communication between friends and co-workers, expressions of fact and opinion, and even specific individuals' lies and truths. Further information may be found here.

COMPUTER FORENSICS EXPERT RAIDED: CP DEFENDANT GOES FREE

Pretty soon we may have a new country-western song from computer forensics experts entitled "Daddy, Can You Go My Bail?" In a fairly remarkable case, an Ohio appellate court basically told the federal government that it would let defendants go free in child pornography cases if the feds interfered with the defendants' constitutional right to due process. In State v. Brady, decided on April 13 th, the appellate court upheld a lower court decision dismissing child pornography charges against Daniel Brady, Sr. The trial court had appointed Dean Boland to serve as an expert witness for Brady in the field of computer forensics. Boland is also a licensed attorney and has served before as an expert witness. The trial court issued a protective order regarding the evidence, saying that the contraband evidence was transferred to permit the defendant's attorney to render effective assistance of counsel, and that expert Boland was also authorized to possess the evidence. Ohio's obscenity statutes permit possession of certain otherwise illegal material if it is used for a "proper purpose" by a "prosecutor, judge, or other person having a proper interest in the material." The state provided the evidence to Boland in June of 2005. On June 24, 2005, the Federal Bureau of Investigation (FBI) executed a search warrant on Boland's residence. The FBI seized Boland's computer and several compact discs, which contained the contraband at issue in the case. An affidavit submitted in support of the search warrant alleged Boland violated Section 2252A, Title 18 U.S. Code. This federal statute does not contain the exemption for a "proper person" using the material for a bona fide purpose similar to the exemptions contained in the Ohio statutes. A hearing in the case against Brady was held and Boland testified that, upon the advice of his counsel, he would not accept another copy of the prospective exhibits containing the allegedly illegal images in this matter. The trial court granted Brady's motion to dismiss and dismissed all 50 counts of the indictment related to pornography. The appellate court agreed with Brady that his constitutional due process rights were violated by the FBI's action, which made it impossible for Brady to use an expert witness. Boland had testified that, "upon the advice of counsel and due to the threat of additional federal prosecution, he could not possess another copy of a compact disc containing the allegedly illegal images in this matter." Further, he testified he could not conduct a proper investigation of any websites from which the images might have allegedly originated. Finally, he could not use his expertise to create potential exhibits for Brady's trial. The court found that "not only was Brady denied the expert services of Boland, he was denied the expert services of all potential experts." Boland testified that no other expert witness would risk federal prosecution to assist Brady. Further, Boland testified that, in his opinion, Brady's counsel was duty-bound to inform potential experts about the possibility of federal prosecution. In light of this requirement, it would be nearly impossible to find a competent expert. At the hearing, it was suggested that Boland could review the materials at issue in Brady's case at the prosecutor's office. This suggested solution would still not permit Boland to create exhibits for trial. Additionally, Boland testified that he uses certain software in his analysis that the prosecutor's office does not have. Also, even though he would be in the prosecutor's office, it could be argued that he "received," albeit temporarily, child pornography in violation of Sections 2252(a)(2)(A) and/or 2252A(a)(2), Title 18, U.S. Code. Another of Boland's concerns was visiting websites where the allegedly illegal images may have originated. He believed he could still be subject to federal prosecution for conducting illegal internet activity at the prosecutor's office. This belief was legitimate in that Sections 2252(a)(2)(A) and 2252A(a)(2), Title 18, U.S. Code prohibit receiving any images of child pornography that have traveled in interstate or foreign commerce, "including by computer." Finally, Boland testified regarding his concern that he would not be able to record any of his work at the prosecutor's office for fear of federal prosecution, therefore, he would have to memorize his entire analysis of possibly hundreds of images for his trial testimony. Upon consideration of Boland's testimony, the trial court concluded that viewing the images at the prosecutor's office was not a viable solution. We agree. The slip opinion in the case may be found at 2007 WL 1113969 (Ohio App. 11 Dist.) or here.

REGISTERFLY AND ICANN FACE CLASS ACTION SUIT

On March 29th, a class action suit against domain name company Registerfly.com and its accreditor, ICANN, was unsealed. The suit had been filed in a North Carolina federal district court two weeks earlier - it alleges that thousands of people have lost or stand to lose their livelihoods due to the negligence of the two companies. Apparently, one day after ICANN found it was being sued, it terminated Registerfly's accreditation to sell domain names, though ICANN says that the timing was coincidental. The suit was originally filed under seal because Plaintiff Anne Martinez was afraid of reprisals from Registerfly's controversial chief executive Kevin Medina. Medina and his ex-boyfriend and business partner John Naruszewicz got involved in a lawsuit for control of the company in February. The suit involved allegations of fraud and embezzlement and saw control of the company briefly transfer to Naruszewicz and then back to Medina. The suit exacerbated a customer service debacle that had been escalating for well over a year. People claimed their domains had been allowed to expire, even if they paid for renewals. Thousands of people are still believed to be at risk of losing their domains, and thus whatever services they run at those domains. Plaintiff Martinez has her business under a domain name which was to expire shortly, but allegedly she was prevented from transferring it due to the fact that the domainhad its ownership details changed to those belonging to Registerfly, under a service known as Protectfly, without Plaintiff's request or consent. Protectfly was designed to be a privacy service. Martinez's suit alleges fraud, deception, racketeering and negligence as it relates to Registerfly. The registrar eNom, a Registerfly partner and part of Demand Media Inc, is named as a defendant on some of these counts. ICANN is also named, having allegedly known about the problems at Registerfly for more than a year. ICANN has received customer data about many domains, and has placed a registry-level lock on all of them to prevent deletion, but there are still many Protectfly-enabled domains for which it has no idea who the rightful owners are. Further information may be found here.

PERSONAL COMPUTER AT WORK: 10TH CIRCUIT FIND NO PRIVACY

On April 3rd, the 10th Circuit Court of Appeals issued its opinion in U.S. v. Barrows, affirming a lower court conviction of the defendant on child pornography charges. Michael Barrows was the treasurer for the city of Glencoe, Oklahoma when he brought his personal computer to work so he wouldn't have to share a computer with another city employee, a clerk. The computer was connected to the city network and had no password on it. When Barrows was out of the office, the city clerk experienced a problem accessing a file already in use and asked a computer-savvy reserve police officer who happened to be present to assist him. The officer traced the source of the problem to Barrows computer. He noted that a file-sharing program was running and dug around, finding several instances of child pornography. He then advised the police, who obtained a warrant and seized the computer. After he was indicted on January 17, 2006, on one federal charge of possessing child pornography, Barrows objected to the search, saying he "had an expectation of privacy when he took his personal computer to his workplace at the town hall. It was his private property and was not used by any of the other city employees." Previous cases have gone both ways in terms of warrantless workplace searches. Courts have looked at whether a search is reasonable or not, including whether the workplace is shared, if the property is privately owned, and if any stated you-have-no-privacy policies exist. Barrows claimed he intended for his computer to remain private but the 10th Circuit disagreed, saying that he took no steps to make it private such as using a password or just turning it off, and that the significance of personal ownership is particularly weakened when the item in question is being used for business purposes. The decision in U.S. v. Barrows may be found here.

MICROSOFT SUED OVER VISTA BRANDING

On March 29th, a lawsuit was filed in the U.S. District Court for the Western District of Washington, alleging that Microsoft advertised systems as "Vista capable," when in fact the systems were not able to run Vista properly. The suit alleges that the marketing around Vista was designed to deliberately mislead potential customers. Microsoft has allowed PC vendors to put stickers on their systems saying that they are "Vista ready," when the system could run only Vista Home Basic, which does not allow many of the core features of Vista to run. The suit maintains that it was unreasonable of Microsoft to assume that every person to whom it was marketing Vista could understand the system requirements. According to the class action suit, "consumers were falsely led to believe they would be upgraded to a dramatically new operating system bearing the key features marketed by Microsoft." The complaint in Kelley v. Microsoft may be found at here.

MICROSOFT SUES OVER STUDENT-ONLY SOFTWARE

On April 3rd, Microsoft announced that it had filed nine lawsuits since last fall against individuals and companies that it claims were illegally involved in selling discounted Windows and Office software intended for students. Five of the suits were filed on April 3rd in federal courts in California, Nevada and Florida, alleging that the parties infringed its copyright by importing and distributing versions of Windows and Office that were not meant to be sold through the retail channel. "The defendants in these lawsuits and others are charged with profiting from selling clearly marked educational software to unsuspecting retail customers who were not licensed to use it," Bonnie MacNaughton, senior attorney for Microsoft, said in a statement. Named in the most recent lawsuits are EEE Business Inc., doing business as eBusZone.com; Eric Chan and Ruhui Li, doing business as LCTech; Intrax Group Inc., doing business as Surplus Computers; Global Online Distribution LLC; and Big Boy Distribution LLC. Education-only copies of Office and Windows, which universities around the world buy from academic resellers and offer to students at a fraction of the retail price, are a prime target for fraud. Further information may be found here.

STUDENTS SUE TURNITIN FOR COPYRIGHT INFRINGEMENT

On March 19th, four students turned the tables on plagiarism detection company iParadigms, alleging that it committed copyright infringement by archiving students' work without their permission. The suit, filed in the Eastern District of Virginia, seeks $900,000 in damages for six copyright registrations the students obtained for papers that Turnitin's parent company iParadigms archived. The complaint states that iParadigms contracts with the school districts to check students papers and then archives them without payment to, or consent from, the authors. It explains that students are required to agree to iParadigms' terms or take a "zero" for their assignments, or attend another school. The students also claim that the anti-plagiarism system violates educational privacy laws by retaining personal information about them. The students are not named because they are minors. Further information may be found at here.

FCC ISSUES RULES TO PREVENT PRETEXTING

On April 2nd, the Federal Communications Commission (FCC) issued an order designed to strengthen its current privacy rules by requiring telephone and wireless operators to adopt additional safeguards to protect personal telephone records from being disclosed to unauthorized people. Specifically, the FCC order prohibits carriers from releasing, either over the phone or online, sensitive personal data, such as call detail records, unless the customer provides a password. It also requires operators to notify customers immediately when changes are made to their accounts. It further requires providers to notify their customers in the event of a breach of confidentiality. Phone companies, including wireless, fixed line and voice over IP (VoIP) providers, also must annually certify their compliance with these regulations, inform the FCC of any actions they have taken against data brokers, and provide a summary of the complaints they receive regarding the unauthorized release of personal customer information. The regulations also require telephone carriers to notify law enforcement authorities before impacted customers when they suspect breaches have occurred, a controversial decision in light of the fact that law enforcement has often delayed customer notification citing the impact on ongoing investigations. The new rules will go into effect six months after the federal Office of Management and Budget approves them, a process that by itself could take 120 days or more. Further information may be found here.

9TH CIRCUIT CLARIFIES CDA IMMUNITY FOR PUBLISHERS

On March 29th, the 9th Circuit Court of Appeals released an opinion that upholds a number of lower-court findings against the adult-oriented Web site Perfect 10 in a lawsuit against a family of companies including Web hosting service CWIE and credit card processing firm CCBill. Perfect 10's suit against Arizona-based CWIE and CCBill goes back to 2002 and includes a wide array of allegations, including copyright and trademark infringement, unfair competition, false advertising, and violation of right of publicity. One of the most significant parts of the court's opinion is a section that appears to clarify questions about how a portion of the federal Communications Decency Act (CDA) applies to state laws. The CDA's Section 230, which has proven to be a critical defense for Internet service providers, bloggers and Web publishers, broadly immunizes providers of an "interactive computer service" from liability for content that others post. In its ruling, the 9th Circuit essentially concluded that Section 230 can also shield service providers from liability when they are confronted with allegations that their users violated state laws, such as right of publicity and trademark statutes, which was not always clear. Disputes involving federal copyright and criminal laws, however, continue to be exempt from such immunity. Much of the rest of the opinion centers on interpretations of the Digital Millennium Copyright Act (DMCA). A provision in that law says Web hosts are generally not liable for the content their users post, as long as they take down the offending content promptly upon being notified by the copyright holder and meet a number of other standards, such as not receiving "direct financial benefit" from infringing content. The court made it clear that providers do not have to actively police their systems looking for infringement. The DMCA requires the entity sending so-called takedown notices to include specific information in their requests to service providers, such as identifying the infringing content and certifying, under penalty of perjury, that the person sending the notice is "authorized to act on behalf of the owner of an exclusive right that is allegedly infringed." The three-judge panel found that Perfect 10 fell short of meeting those standards, and because of that, the service providers were not obligated to comply with its requests. The judges said they worried about the First Amendment free-speech violations that could occur if a site removes content when it doesn't actually infringe on copyrights. The opinion in the case may be found here.

CARL ROVE'S E-MAIL GOES MISSING

On April 12th, a lawyer for the Republican National Committee told congressional staff members that the Republican National Committee (RNC) is missing at least four years' worth of e-mail from White House senior adviser Karl Rove that is being sought as part of investigations into the Bush administration. Democrats are suspicious that Rove and other senior officials were using the political accounts, set up by the RNC, to avoid scrutiny from Congress. E-mails already in the public record suggest that at least some White House officials were mindful of a need not to discuss certain matters within the official White House e-mail system. The White House has acknowledged the improper use of political e-mail accounts to conduct official government business. Democrats denounced the White House after administration officials acknowledged that e-mails dealing with official government business, including the firing of U.S. attorneys, may have been lost because they were improperly sent through political messaging accounts. Twenty-two White House officials, and a total of about 50 over the course of the administration, have been given such accounts to avoid doing political work on government equipment. The RNC has indicated that it destroyed all e-mail records from White House officials in 2001, 2002 and 2003. In 2004, the RNC exempted White House officials from its policy of purging all e-mail after 30 days, so any lost e-mail after that date would have been presumably deleted by a White House official. Further information can be found here.

COURT GRANTS PERMANENT STAY: VONAGE CAN SIGN CUSTOMERS

On April 24th, the U.S. Court of Appeals for the Federal Circuit granted Vonage Holdings Corp. a permanent stay against a lower court ruling barring it from providing service to new customers. On April 6, Judge Claude Hilton of the U.S. District Court for the Eastern District of Virginia ordered Vonage to stop signing up new customers after a March jury ruling that the VoIP (voice over Internet Protocol) provider had infringed three Verizon Communications Inc. patents. On the same day, the U.S. Court of Appeals for the Federal Circuit in Washington gave Vonage a temporary stay of Hilton's order. The appeals court made the stay permanent while Vonage appeals the patent infringement decision. The appeal is to be expedited and will take about two months. Vonage and its allies have argued that the District Court interpreted the Verizon patents too broadly. The jury in early March ordered Vonage to pay $58 million for infringing three Verizon patents, two of which focus on using name translation to connect VoIP calls to traditional telephone networks. Further information may be found here.