Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Monday, October 31, 2005

Icerocket's Blogs Trend Tool

IceRocket's Blogs Trend Tool is cool, but not for the weak ego. I compared the number of blogs that cited "MT Law Blog" versus me, "Alvin Borromeo," and yikes I didn't even register on the chart. And the chart's scale is in the 1/100,000th! Oh well, so much for vanity.

Marketers and politicians might see the value of this tool to compare the blog buzz between it and its competitors. For example:

Diet Coke vs. Diet Pepsi
George W. Bush vs. Bill Clinton vs. Hillary Clinton
Ken Blackwell vs. Jim Petro vs. Betty Montgomery
Southwest Airlines vs. JetBlue
Sprint vs. Verizon vs. Cingular
Al Franken vs. Rush Limbaugh vs. Bill O'Reilly
Fox News vs. CNN vs. MSNBC
ABC vs. NBC vs. CBS
Forbes vs. Business Week vs. Business 2.0
Wall Street Journal vs. New York Times vs. Washington Post

And so on ...


Friday, October 28, 2005

Michigan Bill to Offer Incentives for Filmmakers

The great state of Michigan is considering offering tax breaks to filmmakers to entice them to film movies there, instead of elsewhere.

LANSING -- Janet Lockwood, head of Michigan's film promotion office, received a phone call this week from a movie production company in Vancouver requesting four dozen Michigan license plates.

The movie is set in Michigan and they needed Michigan plates on the cars to lend authenticity. Actually shooting the movie here would make it more authentic, but Lockwood said it's cheaper in Canada because of lucrative tax breaks and other financial incentives.


Thursday, October 27, 2005

Blue Nile sues Odimo for copyright infringement

Blue Nile, Inc. has sued (complaint here) Odimo, Inc. for copyright infringement. Blue Nile claims that Odimo "has slavishly copied images from Blue Nile's retail diamond sales website and used those images on its website and has as well copied and imitated other protected elements of Blue Nile's website."


Send a PDF or at least disable track changes

Yikes, what a gigantic blunder on the part of the United Nations! Story here.

THE United Nations withheld some of the most damaging allegations against Syria in its report on the murder of Rafik Hariri, the former Lebanese Prime Minister, it emerged yesterday.

Yes, that's bad. But the really bad part, at least from a technical and security perspective, is this:

The confidential changes were revealed by an extraordinary computer gaffe because an electronic version distributed by UN officials on Thursday night allowed recipients to track editing changes.

Big no no! So if you don't want to be embarassed like the UN, check out these track changes tips.


Click Wrap Sample

Nice use of a click wrap to capture agreement with a Creative Commons license. First time I've seen that.


Tuesday, October 25, 2005

Hindering Terrorist Financing, Or Not


Open Source Radio

In my Strange Bedfellows post I said that "the party in power will oppose whatever threatens that power." Well, this Forbes article is another example of that theory.

The spread of open source is a threat to established broadcasters, not to mention cellular telephone companies and other holders of FCC licenses. By using open-source software and low-powered “mesh networks” that can sniff out open frequencies and transmit over them, Moglen says, “we can produce bandwidth in a very collaborative way,” including transmitting video and telephone conversations that would normally ride on commercial networks.

And the broadcasters are no doubt worried.

“There's a reason there is the FCC--to protect the integrity of the broadcast band,” says Dan Wharton, spokesman for the National Association of Broadcasters in Washington, D.C. “We're very concerned about the potential for interference.”

And what sayeth the Open Source crowd?

“You cannot regulate code without going through the First Amendment-type balancing tests we have for any other type of speech,” says Cindy Cohn, a lawyer at the Electronic Freedom Foundation in San Francisco. “Code is speech.”

And major companies, mainly Microsoft competitors, are supporting the open source folks.

And companies like Cisco, IBM and Computer Associates are hastening the process along, partly as a way of competing with Microsoft. They've even put $4.3 million into a public interest law firm [Columbia Law School Professor Eben] Moglen installed in New York offices to enforce the GPL.

Folks, we are living in an exciting time. And lawyers will surely play a part in it.


EFF asks: Is your printer spying on you?

From the Electronic Frontier Foundation, Is Your Printer Spying on You?

Imagine that every time you printed a document, it automatically included a secret code that could be used to identify the printer - and potentially, the person who used it. Sounds like something from an episode of "Alias," right?

Unfortunately, the scenario isn't fictional. In a purported effort to identify counterfeiters, the US government has succeeded in persuading some color laser printer manufacturers to encode each page with identifying information. That means that without your knowledge or consent, an act you assume is private could become public. A communication tool you're using in everyday life could become a tool for government surveillance. And what's worse, there are no laws to prevent abuse.


Strange Bedfellows

I try to keep politics away from this blog, but this story from the Dayton Daily News struck me as amusing.

The proposed amendment is one of four election-related proposals on the Nov. 8 ballot supported by Reform Ohio Now, a coalition dominated by Democrats, labor and good-government groups.

The amendments include one that would change how Ohio draws state legislative and U.S. House districts and, in a related development Wednesday, Reform Ohio held a press conference with supporters of Californians for Fair Redistricting.

A redistricting proposal also is on the California ballot, but in California, Republicans, who are in the minority, are leading the campaign.

In Ohio, a Republican-led group, Ohio First Voter Education Fund, opposes the four ballot issues.

It just goes to show you that the party in power will oppose whatever threatens that power.


Monday, October 24, 2005

Pancake Mountain is so much cooler than the Wiggles

Don't get me wrong, I love the Wiggles (did I just admit that out loud?), but man I wish we got Pancake Mountain (now on DVD) on our TV. According to the Washington Post, Pancake Mountain is:

a thoroughly offbeat cable-access kids' show that might even be more fun for adults. A sort of slapstick "Sesame Street" that combines "Pee-wee's Playhouse" silliness with the inspired lunacy of "Monty Python's Flying Circus," the program also boasts an ultra-hip and ever-expanding musical guest list.

My favorite clip is the one with Weird War playing Girls Like That to a roomful of dancing kids. The kid in the orange shirt and striped pants can really bust a move.


Thursday, October 20, 2005

Art, Camel and Copyright Infringement

Artist Michiko Stehrenberger spoke at the University of Hawai'i recently regarding her copyright fight with R.J. Reynolds.

In 2000, R.J. Reynolds' Camel brand altered one of Ms. Stehrenberger's drawings and used it in a marketing campaign without her permission. Ms. Stehrenberger sued and recently reached an out of court settlement with R.J. Reynolds.

Keep an eye out on her website, she promises a "behind-the-scenes peek at the pre-trial strategy and some humourous how-tos for how to protect your own work once an infringement occurs."

Tip, make sure you register your work with the U.S. Copyright Office.


Authentication in an Internet Banking Environment

Financial Institution Letters

FFIEC Guidance Authentication in an Internet Banking Environment (PDF Version)


October 12, 2005


The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, “Authentication in an Internet Banking Environment (PDF).” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.


  • Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
  • Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
  • The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
  • Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
  • Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information.


Wednesday, October 19, 2005

Vonage Quotes the MT Law Blog

Vonage quotes me here because of this post, and for the record I'm still impressed. I like the low flat rate price, unlimited local and long distance calling plus all of the included features such as voice mail, caller id and call forwarding. From time to time we get an annoying echo sound, but rebooting the router typically fixes the problem. If the bells don't get competitive with their pricing structure and packages, I can see a mass defection to VoIP services such as Vonage.


Monday, October 17, 2005

Reporters fishing for stories

Reporters really ought to think about the e-mails they send. I'm a member of the Pho list, a mailing list about the digital delivery of art and its monetization. Like all mailing list, at least the ones I've seen, the participants are very opinionated and outspoken. One of the members of this list is Mark Cuban, owner of the Dallas Mavericks.

A reporter from Bloomberg News sent the administrator of the list an e-mail stating that she is writing a profile on Mr. Cuban and "heard" that members of the list "have some strong opinions about the guy and whether he's been good for the Mavericks or Dallas." The reporter wanted to chat with some of the members. So, the administrator then posts the e-mail to the Pho list.

I'm not sure what the reaction will be from the list members, but my guess is that they will react negitively to the request. Like him or not (I like him), I suspect that members of the list will see this as an "attack" on their own and not be cooperative with the reporter. Mark will probably take it in stride and see this as another opportunity for publicity a la Trump.


Imagine a world without copyright

Not likely, but Joost Smiers (author of ''Arts Under Pressure: Promoting Cultural Diversity in the Age of Globalization") and Marieke van Schijndel imagines such a world and concludes:

The level playing field of cultural production - a market accessible for everyone - would once again be restored. A world without copyright would offer the guarantee of a good income to many artists, and would protect the public domain of knowledge and creativity. And members of the public would get what they are entitled to: a surprisingly rich and varied menu of artistic alternatives.

In response, Alec van Gelder, of the International Policy Network, says "No Thanks."

While they pay lip service to democratic rights, artistic entrepreneurs and markets, the writers' romantic communitarian utopia where copyright does not exist smacks to some of us of "1984": The key to the fantasy is "a generous range of subsidies" apportioned by government from taxes to support the self-proclaimed art of self-styled artists, or that of politically deserving artists. Markets, underpinned by their fundamental freedoms, are the only democratic way of rewarding creativity.


Everyone wants their share

First, Apple announces the new iPod video and $1.99 videos of shows such as Lost. Now, "in a show of unity, five unions representing actors, writers and directors issued a joint call for talks to make sure their members get a cut of revenue generated by the sale of TV shows on Apple's iTunes software." It was bound to happen.


Thursday, October 13, 2005

Privacy and Security Update - October 2005

HIPAA and Consumer Breach Notification Laws Affect Responses to Patient Information Exposure - by Peter M. Hazelton, Esq.

Health care organizations must consider how to comply simultaneously with the Privacy Rule and Security Rule of the Health Insurance Portability and Accountability Act (“HIPAA”) and with various new consumer breach notification laws. See “States Pass Consumer Breach Notification Laws,” Privacy and Security Update, July, 2005. (
www.mt-law.com/ publications.aspx)

Applicable Laws

The HIPAA Privacy and Security Rules apply to health care organizations like hospitals, physician offices, and health insurers. The Privacy Rule requires health care organizations to mitigate any harmful effects due to the loss or theft of a patient’s protected health information. This Rule requires health care organizations to inform all patients of how to file a privacy complaint with federal regulators. However, it does not require health care organizations to inform federal regulators of their own security breaches. The Privacy Rule also does not require covered entities to notify affected patients of the data breach.

The HIPAA Security Rule makes health care organizations develop security incident procedures. These procedures must detail how the organization will identify and respond to suspected or known security breaches, mitigate any harmful effects, and document security incidents and their outcomes. As with the Privacy Rule, the Security Rule does not impose any duty to notify the government or patients of a security breach concerning their protected health information. With both Rules, however, a health care organization might choose to notify affected patients if it believes that notification would help to mitigate the potential harm from the security breach.

HIPAA preempts some state laws on medical privacy that are contrary to it, but laws mandating consumer breach notification are not contrary to HIPAA. Almost 20 states now have consumer breach notification laws, nearly all of which were passed in 2005. A number of other states are still considering this sort of legislation. These laws require companies, state agencies, or both to notify consumers of security breaches involving their personal information. Many businesses and health care organizations possess personal information about Californians, Floridians, Texans, and residents of the other states that now have consumer breach notification laws.

The U.S. Senate is currently considering consumer breach notification legislation that would apply to the personal information of the residents of all states. Legislation that finally passes may very well preempt many aspects of state consumer notification laws.

Some of these state laws provide a safe harbor for organizations covered by the HIPAA rules, allowing HIPAA-compliant health care organizations to avoid compliance with consumer breach notification requirements. However, most of the state laws do not provide such an exception. Only one of the federal bills regarding consumer breach notification exempts health care organizations covered by HIPAA.

Security Breaches

The most publicized information security breaches this year have involved data brokers like ChoicePoint and LexisNexis or financial organizations like JP Morgan Chase, Citigroup, or CardSystems. These organizations have notified customers whose information was compromised by a security breach.

Health care organizations have also had to deal with security breaches involving patient information. In addition to sensitive medical information, patient files contain data useful to identity thieves, like Social Security numbers, addresses, birth dates, and employment information.

Ohio State University Medical Center discovered in June, 2005 that a laptop computer containing patient information was stolen from one of its financial consultants. The computer contained billing information on about 15,000 different patients. However, these files did not contain identifying information like birthdates and Social Security numbers. Ohio State chose to notify each of the patients by letter about the security breach.

The University of Florida faced a similar situation when a laptop computer containing patient information was stolen from one of its outside consultants. The computer was stolen from ChartOne, a Boston company that helps the University to manage medical records. The missing laptop's database contained the names, Social Security numbers, dates of birth, and medical record numbers for almost 4,000 patients. The University notified affected patients of the breach, encouraging them to contact the major credit bureaus regarding account activity.

Medica Health Plans in Minnesota discovered that hackers had stolen company sensitive and confidential data from its computer system. This system also contains information concerning 1.2 million patients, including Social Security numbers, addresses, dates of birth, and employment information. The health plan is now suing the two alleged hackers. Medica does not believe that the hackers actually took any of the patient information. It has not notified any of the patients about the security breach.

Kaiser Permanente Colorado chose to provide notice about a recent privacy breach both to affected patients and to the Office for Civil Rights of the U.S. Department of Health and Human Services. The Office for Civil Rights enforces the HIPAA Privacy Rule. Due to a printing error, a recent issue of Kaiser’s Rocky Mountain Health went out to 190,000 health plan members with member ID numbers on its mailing labels.

Neither the HIPAA Privacy Rule nor the HIPAA Security Rule requires covered entities to notify government regulators about a suspected privacy or security breach. Kaiser did not give its reasons for notifying the Office for Civil Rights. However, it may have taken this course to preempt a government enforcement action prompted by a patient complaint. A Kaiser official stated that the Office for Civil Rights appears to be “fine with things because we have responded appropriately and done the right thing.”

Compliance Considerations

A variety of factors affect a health care organization’s choice of how to comply with the law. The HIPAA Privacy Rule and Security Rule do not mandate the notification of patients about consumer breaches. However, notifying affected patients may be a wise step for health care organizations fulfilling their obligations to mitigate any harmful effects of a security breach. After receiving notification, individual patients can then check their credit reports, cancel certain accounts, and maintain surveillance for any uncharacteristic transactions on their bills.

The HIPAA Privacy Rule and Security Rule do not require health care organizations to notify the government about a security breach. However, health care organizations might do so in hopes of preempting any potential government enforcement action.

The consumer breach notification laws require companies only to notify residents of the 20 or so states that have passed them. However, health care organizations in other states may possess protected health information of individuals who reside in those 20 or so states. Further, it may be both cost-effective and a wise public relations strategy to notify all affected individuals, as opposed to confining notices only to residents of certain states. For example, when ChoicePoint discovered the theft of personal information for 145,000 people early in 2005, only California had a breach notification law on the books. ChoicePoint originally chose to notify only California residents. However, the company broadened its notifications to extend to all affected individuals, regardless of their states of residence, even though few of the remaining states had such laws.

In summary, health care organizations should revisit their established policies to prepare to face consumer notification requirements. Through inside or outside counsel, they should also keep watch on any legislative or regulatory developments and the responses of other health care organizations to security breaches.


Peter M. Hazelton, Esq., M.H.A. has assisted corporate clients, both large and small, in complying with applicable U.S., state, and international laws on health care, online, international, and financial privacy and security. He has published numerous articles and lectured nationally and locally on privacy, security, e-commerce, and other legal issues.

Mr. Hazelton has a Master’s degree in Health Administration in addition to his law degree.

Please see his past editions of the Privacy and Security Update and recent articles on online privacy, HIPAA security, and spyware at
http://www.mt-law.com/publications.aspx. You may reach him at (614) 846-6571 x22 or peter.hazelton@mt-law.com.

This Privacy and Security Update is intended to provide information about important legal developments, not legal advice. Readers should consult legal counsel for advice about their specific circumstances.

©2005 Mallory & Tsibouris, Co., LPA - This work is not NOT licensed under the Creative Commons License.


Sunday, October 09, 2005

Longboat Key

I'm back from vacation. We went to Longboat Key, Florida. The weather was hot and humid, with a few storms in the mornings. But fun was had by all. The only problem was the red tide.