Latest Regulatory Filings Reveal Mixed Results in Addressing Cyber Threats

Photo entitled "Cyber AttacK" by Marsmet501 on Flickr

Companies submitted their first 10-Q quarterly filings since the SEC issued guidance on reporting cyber issues. A Reuters review of over 2,000 filings revealed varying degrees of effort to follow the SEC’s guidance.

Issued in October, the Division of Corporate Finance’s CF Disclosure Guidance emphasized the importance of disclosing information about the risks and impacts of cyber incidents, considering among other things, the history of attacks as well as future threats and costs. Investor perception and materiality played important roles within the guidelines for public companies making the determination to release cyber threat information.

Most companies addressed cyber risks in a general sense using boilerplate language but others, including known hacking victims, did not address the issue at all. Among the notable companies to not even report cyber risks as generic threats to business were major defense contractors including Lockheed Martin Corp., Mantech International Corp., and CACI International Corp. All three corporations have been targeted in sophisticated cyber attacks.

Yet other companies were more transparent and disclosed details of cyber incidents and related threats. Internet security provider VeriSign Inc. and credit card and debit card transaction processor VeriFone Systems Inc., submitted threat details after suffering major breaches in 2010. While some companies made good faith efforts to address the SEC’s cyber concerns these attempts were by no means indicative of all public filings for the most recent quarter.

Upon initial review, most companies made some attempt to follow the SEC’s October guidelines. However, using standard terminology to address generic cyber threats is probably not what the SEC would consider ideal compliance. Such attempts do not improve corporate transparency nor do they aid investors and business partners in making thorough investment decisions.

Some experts anticipate that public companies will make better efforts to address cyber threats in their upcoming annual filings and disclose more information regarding successful hacking attempts. Others feel the guidance does not contain enough specificity and plan to watch the SEC closely as it responds to this most recent round of filings. However, most experts agree that while the disclosure is not a new concern, companies are slowly moving toward increasing transparency and acknowledge that the process will take time to develop.

Massachusetts ‘Right to Repair Act’ Sent to the Legislature

Photo entitled "Duct Tape and Cars: A Global Standard" by David Edenfield on Flickr

On January 17, 2012, the 2012 version of the Motor Vehicle Owner’s Right to Repair Act was introduced to the Massachusetts House of Representatives. The Act, better known to most as the “Right to Repair Act,” seeks to remedy situations in which consumers and independent automobile repair shops cannot access the necessary information to properly diagnose and repair a vehicle. Recently, groups supporting the Right to Repair Act in Massachusetts collected more than 80,000 signatures in support of offering the question to voters as a ballot initiative.

The Right to Repair Act was first introduced as legislation over 10 years ago, when it was introduced to the United States Congress as H.R. 2735, the Motor Vehicle Owners’ Right to Repair Act of 2001. The Act was created in response to a growing trend in the independent repair industry in which independent repair shops were forced to turn away customers because they were unable to access the vehicles’ on-board diagnostic systems.

Several motor vehicle industry players have long voiced strong opposition to the Right to Repair Act, with one industry advocate going so far as to call it, “a solution in search of a problem.” The Bill purports to make information more accessible to repair shops in the independent automobile industry by requiring manufacturers to, “maintain a diagnostic and repair information system which shall enable the owner of the motor vehicle or the owner’s designated independent repair facility, the capability to utilize such system” and which is composed of, “the same diagnostic and repair information, including technical updates, which the manufacturer makes available to its dealers.”

The information will not be free, however, with a statutory proclamation that the system be available to the aforementioned parties, “on a hourly, daily, monthly or yearly subscription basis at cost and terms that are no greater than fair market value and nondiscriminatory.”

Unfortunately, even if the problem of wholly-inaccessible information were to exist today (and by most accounts, the NASTF has reduced nearly all information gaps of that nature), the Act would still fall short of its goals. Most independent repair manufacturers today that are unable to repair vehicles due to computer-related shortcomings are unable to do so not because they cannot “potentially” access the information, but rather because the acquisition is too expensive.

The issue lies in the diverse number of makes and models that are repaired by independent repair shops, as compared to authorized factory dealers. Typically an authorized dealer will repair a limited number of brands—usually those within the family sold by the dealer. An independent repairer, however, fixes whatever the next patron owns. The expense of purchasing a computer designed for a Mercedes vehicle, then, could be split amongst hundreds of cars by a Mercedes dealership, but might be split between a handful of cars at an independent repair shop. The implication is simple: it will likely continue to remain economically infeasible for independent repair shops to acquire the information and technology utilized by authorized dealerships.

The 2012 iteration of the Right to Repair Act is titled, “An Act to Protect Motor Vehicle Owners and Small Businesses in Repairing Motor Vehicles,” and has been assigned bill tracking number H.B. 3882.

Texas Jury Invalidates Patent on the “Interactive Web”

Photo Entitled "sorry-no-internet-today-2.half" by Timsparke on Flickr

On February 9, 2012, an eight-member jury in the East Texas Federal District Court decided that a patent claiming ownership of the interactive web was invalid. Michael Doyle and his patent-holding company Eolas Technologies brought a patent infringement suit against some of the largest companies in the world, including, among others, Google, Yahoo, Amazon, YouTube, and Apple. The thrust of the claim was that a patent gave Doyle and his company ownership over certain features of the interactive web, including rotating pictures and streaming video.

Though the USPTO initially rejected the patent after it was filed in 1994, even after several re-examinations, Doyle persisted and eventually received the fought for patent in 1998. After the USPTO awarded the patent to Doyle and his company, they failed to put it to any practical use. Eolas holds many patents relating to the technology industry, and the only use it makes of them is to sue others for infringement. Another well-known case was an infringement action brought against Microsoft’s Internet Explorer, for which Eolas received a hefty settlement. These actions led many critics to give Doyle and his company the loathsome title of “patent troll.”

The defendants in the “interactive web” infringement suit argued vehemently that it was not Doyle’s invention, but rather Pei-Yuan Wei and his Viola browser, or Dave Raggett and his <embed> tag, that brought about the interactive web. In the end, the East Texas jury decided in favor of the defendants and found that Doyle’s patent was invalid. The defendants avoided a potential $600 million verdict, and perhaps a more challenging fate of needing to find a work-around for Doyle’s patent.

Though a patent holder is not required to make use of his patent, the actions of Doyle and Eolas Technologies highlight the nightmare that “patent trolls” can cause. The defendants in this lawsuit were forced to spend millions of dollars defending themselves against these infringement claims, as well as the possibility of losing the right to use the very technology that their companies were built upon. Perhaps public policy should call for a change to patent law wherein patent holders lose their right to the patent if they do not implement it after a certain number of years.

What’s Up with SOPA and PIPA?

Photo Titled "SOPA Resistance Day" by C4Chaos on Flickr

Everyone knows that the famous Internet encyclopedia website, Wikipedia, went offline for 24 hours on Wednesday, January 18 to protest something. However, what exactly the site was protesting, is a little less clear. Here’s the breakdown: there are two bills going through Congress. The Stop Online Piracy Act (SOPA) is in the Senate and the Protect IP Act (PIPA) is in the House. The laws would make it legal for the Justice Department and copyright holders to seek court orders against a website suspected of copyright infringement. If the court order is granted, the website must be taken down. Most notably, the language of the legislation does not require the court to hear a defense argument before issuing the court order.

There is also a provision in the bill that allows for a copyright owner to take action outside of court against a suspected copyright infringer. The owner can invoke a “private right of action,” which allows the owner to demand that the suspected infringer’s payment processers cease payment to the infringer. If a suspected infringer would like to defend against a holder’s actions, the infringer is limited to court action.

The bill raises due process concerns for the suspected copyright infringer with regard to the private action provision. As the bill stands, it allows for private ordering in an unjust manner. Suppose a website runs an image that is not copyrighted but a copyright holder incorrectly believes it to be his image. The copyright owner could invoke a private right of action and stop payments to the site. The suspected infringer would have to take court action to lift the payment holds.

What would happen if a copyright image was posted to Facebook by one of its millions of users? Would Facebook be shut down for failure to monitor, in real time, each of its users?

Wikipedia founder Jimmy Wales compared the bill to a form of censorship. He reasoned, “The other side will try to paint this as anybody who’s opposed to this must be making money off of piracy or be in favor of piracy. That isn’t true. The issue here is that this law is very badly written, very broadly overreaching and, in at least the Senate version, would include the creation of a DNS (domain name system) blocking regime that's technically identical to the one that’s used by China.”

Many politicians have voiced opposition to the bills by Twitter, perhaps calling attention to one of the social media websites that would be hit hard by the bills. Some of these law makers include Senator Scott Brown (R-MA) (“Have you seen my stance on #SOPA and #PIPA? I’m going to vote no, the Internet is too important to our economy.”), Senator Jim DeMint (R-SC) (“I support intellectual property rights, but I oppose SOPA & PIPA. They’re misguided bills that will cause more harm than good.”), Senator John Boozman (R-AK) (I am withdrawing my support for the Protect IP Act.”), and Representative Chellie Pingree (D-ME) (“So many contacting me today outraged with #SOPA and I couldn’t agree more.).

Although copyright infringement remains a concern for holders and those who see value in the protection as a means for encouraging creativity, SOPA and PIPA do not seem to be the answer. The problem calls for a solution with greater ingenuity that provides protection without legalizing censorship.