Parties to litigation are used to providing privilege logs (a list of documents not produced in discovery on the grounds that the documents contain privileged information) with such information as author, recipient, date, description of the document and the privilege being asserted. Now that electronic documents are becoming the “norm,” the courts may begin requiring more information about these documents. Once such case is Favors v. Cuomo, a redistricting case in filed in the Eastern District of New York. In this case, the court ordered defendants to supplement their privilege log to include “addressee(s), copyee(s), blind copyee(s), date, time, subject line, file name, file format, and a description of any attachments.” Favors v. Cuomo, 11-CV-5632, 2012 U.S. Dist. LEXIS 113076, *116 (E.D.N.Y. Aug. 10, 2012) (U.S. Mag. J. Roanne L. Mann). The rationale for this ruling was that this type of information is easily and readily accessible given the metadata available for electronic documents. Id. However, the court did add that merely listing the subject line, file name or document title would be insufficient as it would result in “vague, confusing, or conclusory descriptions.” Id. at *117 n.36. Thus, this type of information would have to be revised to provide a sufficient description of the document.
The USDC for the Western District of Pennsylvania enacted local patent rules in 2005. The court has also been designated as one of a number of courts in the country that are part of a Pilot Program where patent filings will be monitored and wherein participating courts will establish certain practices for the administration of Patent cases. While patent filings have been rather flat in the Pa. Western District in the last few years, the number has skyrocketed in 2012. There were 11 Patent cases filed in 2011, but this year, through July, there have already been 28 filings, or more properly, 11 actual filings and 17 transfers of cases from the Eastern District of Texas, or which relate to those transferred cases.
These latter 17 cases have related to the same or similar patents held by a company called Maxim Integrated Products, which is suing numerous big name companies, and which is being sued in declaratory judgment actions by many other big name companies. Many of their suits were filed, not surprisingly in Texas Eastern, but were transferred to Pa. Western.
Declaratory Judgment actions followed and have been filed here by other companies whom Maxim allegedly threatened with suit. The patent (s) at issue relate to the transfer of “cash” between secure devices (eg: mobile to mobile). The Summary of the Invention in this ‘510 patent is set forth as:
“The present invention is an apparatus, system and method for communicating a cash equivalent electronically to and from a portable module. The portable module can be used as a cash equivalent when buying products and services in the market place. The present invention comprises a portable module that can communicate to a secure module via a microprocessor based device. The portable module can be carried by a consumer, filled with electronic money at an add-money station, and be debited by a merchant when a product or service is purchased by the consumer. As a result of a purchase, the merchant’s cash drawer will indicate an increase in cash value.”
We will follow these cases and report more in the future.
With the news that millions of LinkedIn passwords were compromised last week, we should all reconsider what passwords we are using and whether they are secure enough for our needs. As with most security issues, there is always a balance between having a password that is easy enough for you to remember but too difficult for someone else to guess. This article discusses some strategies and tips for creating and managing stronger passwords.
What Is a Bad Password?
Not all passwords are equal, and there are many that should simply be avoided for most applications. It goes without saying that “password” and “12345” are terrible passwords. A good lists of these “bad” passwords can be found here. In general, though, a bad password is one that is:
short (less than 8 characters)
a single word (in any language) that can be found in a dictionary
something that is readily identified with you (e.g., your name or your spouse’s, children’s, or parents’ name; the street you live on or the city you live in, etc.)
a variation on your login or username
adjacent letters or numbers (e.g., qwerty, 12345, abcde, etc.)
Looking through lists of bad passwords can be very enlightening and can give you some ideas of passwords to avoid.
What Is a Good Password?
Now that we know what types of passwords are not great, what types of passwords are better? A good password likely will have many of the following characteristics:
longer than 8 characters (generally, the longer the better)
have a mix of upper and lowercase letters, numbers, and symbols
be unrelated to any readily identifiable information about you
Again, there is always a balance between ease of use (i.e., something you can remember) and the strength of the password. A long string of random letters, numbers, and symbols is potentially very secure, but is, counterintuitively, not likely to be a good password if you can’t remember it. If you have to write down your password on a piece of paper in order to use it, your password is only as good as the security you have in place to protect that piece of paper.
Thankfully, there are a number of techniques you can use to create stronger passwords that you can remember. One of the most common is to use the first letters of a phrase. For example, if you choose the phrase “To be or not to be, that is the question,” the password would become “Tbontb,titq”. That seemingly random set of letters and symbols would not be susceptible to a dictionary attack (in which the attacker simply tries all the words in the dictionary), but would still be easily remembered. [For the record, this is such a common phrase, that it is likely a bad password. Choose a more obscure sentence or phrase to use, instead.] We could make this password stronger by changing some of the letters to numbers. For example, the “o” could become a zero and the “i” could become a one—so, the password would be “Tb0ntb,t1tq”.
Another common technique is to use unrelated words separated by numbers or symbols. The key to this approach is taking advantage of using the strength of longer passwords and introducing numbers and symbols to avoid dictionary attacks. For example, you could use “fruit25lawnmower#%”. For added strength, you could capitalize some of the letters and change some to numbers—“fRU1t25LawnM0wer#%”.
This is an interesting website where you can enter passwords, and it will assess their relative strengths. As always, you should be cautious about entering any passwords you actually use or intend to use. You can, however, enter similar passwords and begin to get a sense of what makes a stronger or weaker password.
More Dos and Don’ts
Now that we have talked about good and bad passwords, there are a few other points you should consider in managing your passwords.
The strength of your password should reflect the importance of that account to you (or your employer). Very important accounts, like your bank account, should be given the strongest password you can reasonably remember that is different from any other passwords you use. You should also consider regularly changing it in case it becomes compromised without your knowledge.
E-mail accounts should be considered important accounts and given stronger passwords. There can be a real danger if someone gains access to your e-mail account. For example, once you know someone’s username, many websites will allow you to reset the password by sending an e-mail to the registered address. If an attacker gains control of your e-mail, he or she can then reset the password to your bank account (or any other account).
Ideally, you should have a different password for every account or website. That way, if one password is compromised, it won’t compromise your others. Unfortunately, it can be difficult to remember which password you used with which account. To help with this problem, you should consider using a password management program that stores all of your passwords in one location (and is often designed to easily enter those passwords into website forms). These programs then use one master password to unlock all of your passwords. They can be very convenient and useful programs because they allow you to keep track of all of your passwords in a secure way. But, you are putting all your eggs in one basket, so the master password you choose should be strong and access to the program limited.
Finally, don’t write your passwords down on post-it notes on your computer monitor or in other easy-to-find places. If your password is too hard to remember, think about creating a different one that you can remember. On the other hand, it can make good sense to keep your passwords written down in a secure location in case you forget them, especially if the account provides no way to reset the password. Ideally, you should keep them in a locked location, though.
Having a good password requires some discipline and can be inconvenient at times. However, it can be far more inconvenient to have your account hacked and your money or information stolen. Taking a little time now to really think about how to create and manage your passwords can save you a lot of hassle in the future.
iPhones and other smart phones are becoming ubiquitous among legal (and other) professionals. The ability to access your e-mail and documents outside the office is extraordinarily convenient. As attorneys, though, we must temper that convenience with our obligation to preserve our clients’ confidences. Most smart phones offer the ability to password protect the phone, often with a 4-digit PIN or passcode, before you can access the information on the phone. They also often have a feature that will wipe the phone’s data if a certain number of incorrect PINs are entered in a row (with the iPhone that number is 10). But just how secure is your phone?
In this blog post by Daniel Amitay, he looked at the most common 4-digit PINs from over 200,000 users for a program he wrote for the iPhone. Startlingly, the top 10 most common PINs represent 15% of all the PINs people actually use (instead of 0.1% if the PINs were uniformly distributed). While the PINs people use for a program on their phone, as opposed to the phone’s PIN itself, may not be the same, the findings are interesting nonetheless. If they were the same or even a large percentage were, this means that someone who finds (or steals) an iPhone would have around a 1 in 7 chance of unlocking the phone before it is wiped automatically! Smart phone users would be well advised to take a look at the list and consider whether the PINs they have chosen are really as secure as they should be given what information is on (or accessible from) their phones.
For a similar article about computer passwords, check out this NY Times article.
Update: There is another very interesting article on DataGenetics website that explores this issue in even more detail. It looks at not only 4-digits PINs, but also up to 10-digit PINs and identifies some of the more common ones used. It provides even more insight into common PINs to avoid, and it is well worth the read.
As discussed in an earlier post on this blog, the federal courts will be requiring all electronic filers to move to the PDF/A standard for ECF filings. The Western District of Pennsylvania announced that it is beginning its transition to this format now, and all filings starting on January 1, 2012 must be in the PDF/A standard (link to Court’s PDF announcement).
The PDF/A format should be a longer lasting file format that will allow attorneys and the public to access these records well into the future. The PDF/A standard requires that the files be self-contained and not refer to use any information outside of the file itself. So, all the fonts and other information will be embedded inside the file. There are two types of PDF/A formats—the PDF/A-1a and PDF/A-1b formats. The “a” format requires strict tagging of information, while the “b” format is less stringent. As a practical matter, one will likely need the original source file (for example, the original Microsoft Word file) to create a PDF/A-1a file. This will make it more difficult to convert standard PDF files into PDF/A-1a files. On the other hand, because the PDF/A-1b format is more forgiving, and it should be possible to convert standard PDF files into this format. It appears that the federal courts will accept either PDF/A format.
There are a variety of websites offering advice and tutorials to help ease the transition to the PDF/A format. The Adobe Acrobat for Legal Professionals website recently posted a tutorial on using the save as feature in Acrobat 9 and X to create or convert files into the PDF/A format. It also hosted a webcast on the topic that can be viewed here.
Here’s a scary decision by a California Appellate Court reported on Wired.com http://www.wired.com/threatlevel/2011/01/email-attorney-client-privilege/. An employee who sues her employer for discrimination, and who communicates with her lawyer using her employer’s e-mail system, waives the attorney client privilege by using the company’s e-mail system to seek or receive legal advice from her lawyer. In other words, if you sue your employer, you may not use that employer’s e-mail server to communicate with your lawyer, or those communications are not privileged. This is an important issue not only to litigants, but to lawyers, who routinely send litigation related e-mails to clients at workplace e-mail addresses. Lawyers must now, perhaps, ask clients a series of questions regarding the process of e-mail communications so that a privileged system of communication can be established. Wired.com quotes the court as holding that “The e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard.” The key to the decision involves the explicit warnings given to plaintiff and her fellow employees about the use of company e-mail. The court’s holding cited the following rationale for its decision to vitiate the privilege: “This is so because Holmes used a computer of defendant company to send the e-mails even though (1) she had been told of the company’s policy that its computers were to be used only for company business and that employees were prohibited from using them to send or receive personal e-mail, (2) she had been warned that the company would monitor its computers for compliance with this company policy and thus might “inspect all files and messages . . . at any time,” and (3) she had been explicitly advised that employees using company computers to create or maintain personal information or messages “have no right of privacy with respect to that information or message.” See the Courts Published Opinion: http://www.courtinfo.ca.gov/opinions/documents/C059133.PDF
Whether the California decision will be followed elsewhere, or copied in other state or federal courts remains to be seen. We at PitIPtechblog will continue to monitor this decision and its fallout.
Federal court practitioner are now well-familiar with the CM/ECF, which allows parties to file documents in a PDF format on-line rather than hand-filing them with the Clerk of Court. In an effort to improve its archiving and preservation of its records and to address concerns over new features that have been incorporated into the PDF format, federal courts will require filers to submit documents in the PDF/A format. The courts have not all set a timeline for implementing these changes, but the Western District of Pennsylvania will require all uploads to be in this format after January 1, 2012.
PDF/A is an International Standards Organization (ISO) approved version of the popular Adobe PDF format designed for archival purposes. It is a self-contained file, which means that it does not rely on external media players or hyperlinks outside of the documents. In addition, it embeds all of the fonts used in the document inside the file, so the recipient need not have any of the fonts installed on his or her computer. It also prevents security measures of any kind (such as passwords). It appears that the federal courts will be using the minimal PDF/A-1b “flavor” of PDF/A, rather than the full PDF/A-1a “flavor,” which is more exacting.
As the PDF format has evolved, it has incorporated some new features that raised concerns, such as the ability to monitor when a document is read and the ability to incorporate active software inside the file. In theory, by moving to the PDF/A format, electronically-filed documents will be more accessible in the future and less dependent on technologies or features that may become unsupported.
Federal courts currently will accept PDF/A files, but do not yet require them. As practitioners are preparing for the transition to only PDF/A files, they should be aware of a number of changes that will result from this shift:
Because all of the fonts will be embedded into the file, file sizes will be larger. In addition, some specialized fonts will not allow programs to embed them in the PDF/A file or require an additional license to do so. Use of these fonts will be problematic and may have to be avoided.
Hyperlinking to webpages, judicial decisions, and other hypermedia is not possible because the file must be self-contained. Content rich briefs and exhibits will be more difficult to create, and, in particular, one will have to be careful in creating exhibits that contain these items (such as copies of webpages or electronically-downloaded caselaw). While some courts may allow exceptions to this limitation, one should not count on regularly being able to obtain these.
Passwords and other security features are not permitted. The purpose of switching to PDF/A is to make the files as accessible as possible for as long as possible. Passwords and other security measures interfere with that goal.
PDF/A requires the presence of certain meta-data to verify conformance with the standard. For firms with systems that automatically strip meta-data, care will have to be taken so as not to render PDF/A files non-conforming in the process.
Contact our Pittsburgh Intellectual Property, Cyber and Data Security, Trade Secret, DTSA and Technology Attorneys at Houston Harbaugh, P.C. through IP and Litigation Sections Chair Henry M. Sneath at 412-288-4013 or email@example.com. While focusing first on health care and prevention issues for family, friends and employees, we are also beginning to examine the overall Covid Law related issues in business litigation, contract force majeure, trusts and estates litigation and insurance coverage issues that will naturally follow the economic disruption of the Covid-19 pandemic.
Some posts herein are from the HH-Law resources of PSMN® and PSMNLaw®. Business Litigation. Pittsburgh Strong® and DTSALaw®, PSMN® and PSMNLaw® are federally registered trademarks of HH-Law. See Firm Website at: https://www.hh-law.com/Professionals/Henry-Sneath.shtml