../ABA%20Home%20Page

BLAST
Section of Science and Technology Law
750 North Lake Shore Dr.
Chicago, IL 60610

 

Editor-in-Chief
../Paulbailey@icfconsulting.com

Associate Print Editor
../ljohnson@roylance.com

Associate Online Editor
../sanyin_siang@hotmail.com

Contact Section
../sciencetech@abanet.org

 

Section of Science and Technology Law Officers

Chair
../rocampo@worldnet.att.net

Chair-Elect
../sam.byassee@smithhelms.com

Vice Chair
../hrafter@digidesign.com

Secretary
../Ivan.fong@corporate.ge.com

Budget Officer
../rbutler@wrf.com

Section Delegates
../eflannery@cov.com

../scott_partridge@bakerbotts.com

Immediate Past Section Chair
../bfought@connectix.com

Section Past Chair Liaison
../blackb@hughesluce.com

Section Director
../skaminski@staff.abanet.org
../The%20Bulletin%20of%20Law,%20Science%20and%20%20Technology
../The%20ABA%20Section%20of%20Science%20and%20Technology%20Law
../Main%20Page ../Current%20Issue../Page%2001../Page%2002../Page%2003../Page%2004 ../Archives
     

IN THIS ISSUE DECEMBER 2001

CHAIR'S LETTER
- Raymond L. Ocampo Jr.

I write this letter in December with the holidays approaching and upon us. Although this issue of BLAST may not reach you until after the season has passed, I extend happy holiday wishes to everyone!

It is customary to count blessings during the holidays, and I do so in this letter. Among our Section blessings is our Section Director, Shawn Taylor Kaminski, whose work has ensured the smooth functioning of our Section in times of great change within the ABA. We have been blessed to be able to hire a new staff assistant, Deborah Douglas, who joined us in November: welcome, Deborah. Thank you, Shawn and Deborah, for keeping our Section ship sailing through waters rough and calm, just as your predecessors, Ann Kowalsky and Alanna Sullivan, did earlier this year.

Paul Bailey has served as editor of BLAST for more years than he can remember. While Santa brings us goodies once a year, Paul brings us BLAST once every quarter, and he does so without Santa's elves. Thank you, Paul, for your contributions over the past several years.

Lance Johnson has been the program chair for at least the past two years. Santa checks his list twice for naughty versus nice, but Lance conducts multiple analyses of program proposals in the context of a rapidly-changing world. Making program lineup recommendations for the Annual Meeting is a more difficult job (though much less financially rewarding) than a television network executive's job of scheduling television shows. Thank you, Lance, for your work on programming, and thank you also to Heather D. Rafter and William Sloan Coats for helping Lance.

Our Section has been blessed this year with a record number of program proposals, which means that we will be required to turn down programs that we would proudly have accepted in earlier years. Thank you to all who submitted proposals for programs in Washington, D.C.

We have been blessed by the efforts of Julie Fleming, Erika King, and others in publishing the inaugural issue of Biotech Briefing, a newsletter of the Biotechnology Committee that has received rave reviews from many who have read it. Congratulations and thank you, Julie and Erika.

Our Section is blessed to have wise counsel from the Officers of the Section. Our Section is particularly blessed to have two Past Chairs as its Section Delegates, Ellen J. Flannery and Scott F. Partridge. Their diplomacy and credibility add luster to our Section's reputation within the ABA.

Thank you to those who make this Section go, which in a sense means all of you. We are graced by your efforts on behalf of the Section and blessed to be in your company. I look forward to seeing many of you at the Mid-Year Meeting in Philadelphia.

Happy holidays and happy sledding!

FIRST INFORMATION SECURITY CONFERENCE

- Stephen Wu, co-chair and Kimberly Kiefer, co-chair

The Information Security Committee (ISC) held the First Annual Information Security Day Conference on November 5, 2001 in conjunction with the quarterly meeting of the ISC in Washington D.C. The Conference included a program concerning the protection of private consumer information and a program covering the timely issue of protecting critical information infrastructures. The Conference was an additional step in the ISC's expansion of its activities to coverage of information security issues generally and reflected its dedication to exploring the cutting edge of law and information security-related issues. On November 6-7, the ISC held its quarterly meeting and advanced the work of its various working groups.

The Security Side of Privacy: Protecting Consumer Information
The Information Security Day Conference's first program concerned the security aspect of protecting the privacy of consumer information. The keynote speaker for the program was Jessica Rich, Assistant Director, Division of Financial Practices at the Federal Trade Commission's Bureau of Consumer Protection. She detailed the priorities of the FTC under the new administration. These priorities include protecting against the misuse of consumer information to prevent physical attacks, identity theft, and unwanted solicitation; enforcing privacy policies in both the online and offline worlds; increasing enforcement efforts concerning the Children's Online Privacy Protection Act; and improving education and outreach to companies handling personally-identifiable information. With respect to Gramm-Leach-Bliley Act (GLB) implementation, the FTC will be looking for written security plans for non-bank entities covered by GLB and within FTC jurisdiction. Examples of items in such plans include employee training, management oversight, disposal of media containing personally-identifiable information, incident response measures, testing of security, and the oversight of outside contractors.

The second part of the program following Ms. Rich's keynote address was a panel discussion concerning efforts to secure private consumer information. The moderator for the panel was Joseph Alhadeff, Vice President of Global Public Policy and Chief Privacy Officer of Oracle Corporation.

During the panel discussion, Patrick Cain, Security Advocate for Genuity Inc., described the unique difficulties faced by an Internet service provider in relation to the private consumer information generated by its customers. An ISP is likely not a party to the transaction between a consumer and an ISP's customer, according to Mr. Cain, and yet the ISP may store or transmit private information from consumers who may be in locations around the world.

Denley Chew, Counsel for the Federal Reserve Bank of New York, reported on the state of privacy legislation as it relates to the financial services industry. Prior to the September 11 attacks, the emphasis of the industry had been on complying with the Gramm-Leach- Bliley (GLB) Act. Among other things, GLB gave rise to inter-agency "Guidelines Establishing Standards for Safeguarding Consumer Information," which require regulated financial institutions to have a comprehensive, written information security program. Following the September 11 attacks, Mr. Chew noted, the focus shifted to legislative efforts that may affect consumer privacy rights, although in the law enforcement context. Chief among these is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act), which permits companies holding private consumer information to share information to a greater extent with government entities investigating terrorism.

Alan Goldberg, Director, Goulston & Storrs, described the security side of privacy in the context of the healthcare industry. Healthcare information is protected by the Health Insurance Portability and Accountability Act (HIPAA), which has resulted in final privacy regulations and proposed security regulations. Mr. Goldberg stated that security is an essential prerequisite of privacy, and the two must work together to be effective. Security requirements are still in flux. Thus, he suggested that providers should be skeptical of "HIPAA compliance in a box" solutions in the market.

Harriet Pearson, Chief Privacy Officer, IBM, also mentioned that organizations cannot protect privacy without good security. The threats posed by computer crime will continue to increase. According to Ms. Pearson, the vast majority of security initiatives undertaken by organizations will not implicate privacy concerns, although some will. Among new technologies, however, will be ones that enable greater privacy, such as the Platform for Privacy Preferences Practices (P3P). Eventually, privacy-enhancing technologies will be built into the infrastructure.

Sarah Andrews, Research Director, Electronic Privacy Information Center, stated that although security is an important aspect of privacy, providing security does not amount to ensuring privacy. Security technologies, moreover, do not always address privacy concerns. Ms. Andrews stated that some authentication technologies and environments implicate concerns of tracking online users, linking their activities together, secondary uses of gathered information, and accidental disclosure of information. She recommended increased use of technologies that permit credentialing without necessarily requiring a link to an identity.

Critical Infrastructure Protection: Identifying Threats, Implementing Safeguards, and Responding to Incidents
The Conference's second program addressed the protection of critical information infrastructures and discussed the process of identifying security threats and vulnerabilities, implementing security solutions, and handling breaches and other incidents. The keynote speaker for this program was Margie Gilbert, Director of Critical Infrastructure, Office of Cyberspace Security, National Security Council. She spoke of the efforts to coordinate and organize cyberspace security matters with the NSC and the Office of Homeland Security, which is headed by Tom Ridge. In the history of this country, according to Ms. Gilbert, the federal government and the citizenry have been largely reactive in response to security threats. The new efforts of the Office of Cyberspace Security are focused on coordinating efforts between the public and private sectors to address security threats at a national level and making federal efforts more proactive. She believes that the federal government's assistance in response to virus threats will provide a viable model for handling other information security threats.

The final part of the program following Ms. Gilbert's keynote address consisted of a panel discussion concerning critical infrastructure protection. The moderator for the panel was Craig Silliman, Director of the Network and Facilities Team at Worldcom/UUNET Technologies.

Harris Miller, President, Information Technology Association of America talked about the growing threat of cybercrime, its motivations, and its various forms. Mr. Miller also spoke of the activities of the Information Technology Information Sharing and Analysis Center (IT-ISAC) organized this year pursuant to the Clinton Administration's Presidential Decision Directive 63. ISACs are intended to facilitate the collection and sharing of incident and response information among their members and facilitating information exchange between the government and the private sector. The IT-ISAC focuses on information security incidents, threats, vulnerabilities, countermeasures, and best practices. It has held a series of cybercrime summits to promote cooperation between industry and law enforcement, and is promoting cybercitizenship among young people to educate the next generation about cyberspace ethics and responsibility.

Mark Rippe, Vice President of Operations, VeriSign Global Registry Service, provided a perspective on critical infrastructure protection based on the experience of a private industry entity in overseeing the protection of several pieces of critical infrastructure for the Internet. These infrastructures include two of the Internet's thirteen root servers; the Shared Registry System for .com, .net, and .org generic top level domains; registries for certain country code top level domains; and certification authority cryptographic private keys in support of the private keys of VeriSign as well as certain VeriSign affiliates and enterprise customers. Mr. Rippe discussed some of the precautions that can be taken in response to both intentional and unintended risks. He cautioned, however, that an attacker with sufficient commitment and resources can circumvent any precautions implemented.

Scott Eltringham, Trial Attorney, Computer Crimes and Intellectual Property Section (CCIPS), Department of Justice, discussed the role of CCIPS and the Department of Justice in the prosecution of various computer crimes. He also described the efforts of the Administration and Congress in addressing information security matters. Executive Orders 13231 and 13228 establish, respectively, a Critical Infrastructure Board to coordinate federal critical infrastructure protection efforts, and the Office of Homeland Security to coordinate national strategy aimed at protecting the United States from attack. Mr. Eltringham mentioned the legislation pending in Congress concerning antitrust and Freedom of Information Act exemptions to facilitate greater sharing of security-related information. In addition, he spoke about GovNet, a proposed internet protocol-based secure network shared by federal agencies to be kept separate from the existing Internet and phone network.

Steven Chabinsky, Principal Legal Advisor for the National Infrastructure Protection Center (NIPC) talked about the activities of NIPC in assisting the private sector. NIPC, part of the Federal Bureau of Investigation, provides analysis and warnings about security threats, helps to formulate appropriate government responses to attacks, determines ways of preventing further problems stemming from security threats, and in working closely with each industry-specific ISAC, facilitates public-private sector information sharing.

Chris Wysopal, Director of Research and Development, @stake, Inc., described the increasing risks to critical information infrastructures. Factors causing the increased risk include growing interconnections of networks among business partners, 4 vendors, and suppliers; the increasing power of single actors to attack networks; the standardization of platforms magnifying the impact of vulnerabilities; the trend toward outsourcing to companies hosting shared infrastructures; and uneven financial incentives to provide security. Mr. Wysopal described risk management techniques of transferring risks when appropriate to entities such as technology vendors, remediating risks of applications developed in-house, and planning for inherent or residual risks through incident detection and handling procedures, business continuity and disaster recovery procedures, and perhaps insurance coverage.

Scott Frewing, Assistant United States Attorney, U.S. Attorney's Office, Computer Hacking and Intellectual Property Unit (CHIP), Northern District of California, discussed the creation of the Northern District CHIP unit and others like it, its mission, the personnel who staff it, and some representative cases. The CHIP unit's goal is to assemble a team of prosecutors with specialized expertise and ability to focus on high technology cases. Examples of such cases include copyright and trademark violations, theft of trade secrets and technology components, computer intrusions, and Internet fraud. Mr. Frewing also highlighted certain criminal statutes relevant to information security.

Quarterly Meeting
During its quarterly meeting, the ISC discussed launching a new work product to address strengthening the security of existing systems of government identification, such as social security cards, driver's licenses, and passports. The Committee believed such an effort would be timely in light of various proposals for increased security measures, such as the creation of a national identification card, debated after the September 11 attacks. The ISC also continued progress on the Information Security Handbook, a project intended to provide corporate management, counsel, and practitioners with an introduction to, and overview of, information security issues relevant to business operations and the law.

The ISC heard from four speakers during the meeting:

  • Julie Hedlund, Senior Director of Electronic Commerce at the National Automated Clearing House Association (NACHA), who spoke of the current state of NACHA initiatives to advance forms of electronic payments;
  • Avi Rubin, Principal Researcher at AT&T Labs, who outlined efforts to protect web sites from hacking attacks, including the use of "exit control appliances" to detect damaged content following a request to see the content and, if necessary, provide the last known reliable content to the user;
  • Timothy Nagle, Director, Information Security, TRW Systems, Intelligence Systems Division, who briefed the Committee concerning the activities of the National Security Telecommunications Advisory Committee, a panel of thirty senior industry executives in the telecommunications industry appointed by the President to advise the administration on telecommunications security matters; and
  • Angeline Chen, Associate General Counsel and Director of Compliance and Policy at International Launch Services, who told the Committee of the efforts taken by government to provide homeland security and its focus on identifying threats, improving emergency preparedness, and assisting in coordination among government entities and with the private sector.

The ISC has posted several of the conference panelist and meeting speaker presentations on the ISC's web site at http://www.abanet.org/scitech/ec/isc/home.html.

The next meeting of the ISC will take place February 16-18 at a location to be determined in the San Jose, California area. This meeting time is immediately prior to RSA Conference 2002, scheduled for February 18-22, 2002 in San Jose. When details concerning the meeting are available, they will appear on the ISC's web site at http://www.abanet.org/ scitech/ec/isc/. The Information Security Committee Stephen Wu, Co-Chair InfoSec Law Group, PC swu@infoseclaw.com Kimberly Kiefer, Co-Chair kkiefer@verizon.net


ABA Copyright Statement    ABA Privacy Statement     Contact the ABA