LegalTech: First Integrated Electronic Courtrooms Opened in the United States

Samuel Miller

Earlier this September, litigation services and software company Opus 2 International announced the United States’ “first integrated pop-up electronic courtroom built for paperless trials” occurred in Miami.  Brenda Mahedy, head of global marketing for Opus 2 International, discussed the impact of these services on court cases, while addressing the history of these services in the courtroom context.

Although Opus 2 was unable to discuss the specifics of the case, Mahedy and the company disclosed that “the parties were two multinational companies with branches in the United States, the United Kingdom, and Europe engaged in international litigation. Both parties came to the trial with an extensive array of technology and witness services, including evidence and trial presentation technologies.”  Mahedy stated, “while various disparate hearing room services already exist in the U.S., such as trial presentation tools, third-party interpretation services, and video conferencing, it is rare that these services are fully integrated with one another, yielding a much more seamless and efficient process during trial.”
Currently, these services are also utilized in some capacity in state courts in Texas and Utah dealing with electronic filing.  Furthermore, District Courts in the District of Columbia, Michigan, California, and Kentucky also provide technology-based evidence presentation capabilities though the addition of audio and video hardware in their courtrooms.  While these changes may improve efficiency and streamline paperless trials, these technologies may be slow to develop across the justice system, due to the structure and nature of changing policies and procedures related to the operation of the courtroom. Drawing from other court systems such as the UK, which have already begun to implement these technologies, however, may provide some model by which the courts could begin to make these changes.

Brittany Charles

The Terminator will be real during our lifetime. Perhaps not the Terminator, but due to low cost sensors and artificial intelligence the concept of autonomous weapons that act without human intervention is becoming a reality[1]. Weaponry capable of targeting and killing completely free of human intervention, while not available in the US, are appearing in military arsenals throughout the world[2].

According to the N.Y. Times, such operations are controversial. This is because although initially a human operator selects a target, some of these systems are designed to operate (at times over hundreds of miles) out of the control of the operator, identify and then attack a target[3]. The technology can be utilized in various weaponry systems including: robots, missiles, stationary weaponry systems and drones[4].

So why is a pentagon official reporting that low cost weaponry capable of completing military actions without human intervention dangerous? These weaponry systems are completely autonomous. According to Paul Scharre, one of the authors for the 2012 Defense Department directive report, “Having a person in the loop is not enough…the human has to be actively engaged.”[5] Furthermore, these systems are capable of being hacked, spoofed or manipulated by adversaries. Kind of like the Terminator. Perhaps a weapon that can decide how to complete military objectives and is additionally capable of being influenced by others is a weapon we might want a little more control of?

[1] John Markoff, Report Cites Dangers of Autonomous Weapons, N.Y. Times (Feb. 28, 2016), http://www.nytimes.com/2016/02/29/technology/report-cites-dangers-of-autonomous-weapons.html?_r=0.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

Samantha Dente

The next great frontier in medical advancements is the use of 3D printing. Although the use of 3D printing in medicine is still in its beginning stages, there are already huge implications from its use.

Most recently in September, a cancer patient received a 3D printed titanium sternum and partial rib cage to replace the bones he had lost during cancer treatment.[1] Compared to traditional flat plate implants, which tend to loosen over time and thus require follow up invasive procedures for maintenance or replacement, the success of the surgery marks a breakthrough in the medical community.[2] In addition to the more durable material, another benefit of 3D printed implants is that the implant can be made to resemble the patient’s actual anatomy with the aid of CT scans.[3]

In August, another breakthrough occurred when the FDA approved a 3D printed prescription pill for consumer use to treat epilepsy.[4]  The 3D technology allows pills to be made more porous which allows them to dissolve faster and thus act quicker.[5] Before that, in 2013, a two-year-old girl born without a trachea received a 3D printed windpipe built with her own stem cells. [6]

One of the biggest areas of concern is how the use of 3D printing will change research and development (R&D) for medical device manufacturers and pharmaceutical companies.[7] One of the foreseeable functions 3D printing is the ability to print tissues and organs for drug testing, which would in turn eliminate the need for animal testing or synthetic models which are less accurate.[8] Currently, the average R&D cost for a new drug is approximately $4 billion and the failure rate of drugs in clinical trials is 90% due to differing animal and human responses to testing.[9] By lowering the risk of trial failure, this would lead to a reduction of cost and clinical trial failures.

In 2013, the U.S. funded the “Body on a Chip” project, and just this year the first organ chips are coming to market.[10] In an effort to curb the issues with R&D described above, the project encouraged universities to essentially 3D print organs through the following process: prints of sample tissue meant to mimic human organs are placed on a microchip and connected with a blood substitute to keep cells alive. [11] This allows doctors to more accurately test specific treatments and monitor their effectiveness.[12] The military has shown interest in this project in the hopes of one day developing treatments for nuclear and biological incidents and has funded about $39 million into projects at Harvard and MIT.[13]

Although there was concern over FDA roadblocks, it has surprisingly expressed openness to the use 3D printing in R&D.[14]

It has been about thirty years since 3D printing technology was first introduced, and the biotechnology community is finally harnessing its true power and potential.[15] It has been predicted that patients eventually may be able to print their own medicines at home, which would in turn lead to a transition in how medications are prescribed.[16] It may seem like science fiction, but it is a possibility that could become a reality sooner than we think.

 

[1] Kelly Hodgkins, Cancer Patient Undergoes World’s First 3D Printed Sternum Replacement Surgery, Digital Trends (Sep. 11, 2015), http://www.digitaltrends.com/cool-tech/sternum-ribs-3d-print-implant/.

[2] Id.

[3] Id.

[4] Dominic Basulto, Why It Matters That the FDA Just Approved The First 3D Printed Drug, The Washington Post (Aug. 11, 2015),  https://www.washingtonpost.com/news/innovations/wp/2015/08/11/why-it-matters-that-the-fda-just-approved-the-first-3d-printed-drug/.

[5] Id.

[6] Zuzanna Fiminska, 3D Printing Set To Revolutionize Pharma, Eye For Pharma (July 15, 2014), http://social.eyeforpharma.com/clinical/3d-printing-set-revolutionize-pharma.

[7] Id.

[8] Id.

[9] Id.

[10] Towards a Body-On-A-Chip, The Economist (Jun 13, 2015), http://www.economist.com/news/science-and-technology/21654013-first-organ-chips-are-coming-market-and-regulators-permitting-will-speed.

[11] Fiminski, supra note 6.

[12] Id.

[13] Towards a Body-On-A-Chip, supra note 10.

[14] Basulto, supra note 4.

[15] Bethany Gross, Evaluation of 3D Printing and Its Potential Impact on Biotechnology and Chemical Sciences, Analytical Chemistry (Jan. 16, 2014), http://pubs.acs.org/doi/pdf/10.1021/ac403397r.

[16] Basulto, supra note 4.

Cecilia Santostefano

Samsung’s reputation has found itself in a bit of a blazing controversy. Back in early September, Florida resident Nathan Dornacher found his Jeep Grand Cherokee in flames after leaving his Note 7 charging on the center console.[1] After thirty-five smartphone-exploding incidents were reported and confirmed, Samsung initially recalled its smartphone in ten countries.[2] As a result, customers could obtain a refund for their device or ask for a different device.[3]

It wasn’t until September 15 that the U.S. Consumer Product Safety Commission came out and told its customers to “immediately stop using and power down the [Note 7] device.”[4] This warning, however, seems to be ineffective, as data analysis shows “the usage rate of the phone among existing users has been almost the exact same since the day of the [initial] recall [by Samsung].”[5]

The recall is quite the costly setback for Samsung, as the Galaxy Note 7 was a means to compete with large competitors like Apple.[6] New Note 7 devices are, however, scheduled to hit stores no later than September 21.[7]

 

[1] Josh Cascio, Jeep totaled by exploding Note 7, FOX 13 News, (September 7, 2016, 10:51 PM), http://www.fox13news.com/news/local-news/203295058-story.

[2] Cascio, supra note 1.

[3] Jill Disis, U.S. formally recalls Samsung Galaxy Note 7, CNN, (September 15, 2016, 5:33 PM), http://money.cnn.com/2016/09/15/technology/samsung-galaxy-note-7-cpsc/.

[4] Disis, supra note 3.

[5] Alex Johnson, Samsung Galaxy Note 7 Owners Keep Using Their Fire-Prone Phones, NBC, (September 16, 2016, 8:07 AM), http://www.nbcnews.com/tech/mobile/samsung-galaxy-note-7-owners-keep-using-fire-prone-phones-n649251.

[6] Ankur Banerjee, Samsung Galaxy Note 7 Recalled Over Battery Fires, Huffington Post, (September 15, 2016, 4:05 PM), http://www.huffingtonpost.com/entry/us-consumer-product-safety-commission-reportedly-plans-recall-of-samsung-galaxy-note-7_us_57dafcffe4b08cb1409476ec?section=us_technology.

[7] Banerjee, supra note 6.

Aiden Scott

As a result of the booming craft beer market, both microbreweries as well as large multinational brewing companies are encountering atypical difficulties in trademarking their products.  Due to the market crowding that “has been exacerbated by immense growth in microbreweries in recent years” some brewers have turned to other markets. In order “to appeal to a broader market” micro, and macro-brewers both have begun to add non-alcoholic drinks to their portfolio, in addition to “numerous spiked versions of traditionally virgin drinks.” This cross-marketing has caused attorneys who work for alcoholic producers to “do a lot more leg work than they did a decade ago to make sure their products don’t infringe anyone else’s trademarks.” Because consumers could be easily mistake an adult beverage for one that “looks remarkably like a non-alcoholic beverage” intellectual property attorneys who work in the alcohol industry have “a new layer of possible confusion” to work around.

See Joseph Marks, Blurring Lines Between Beer and Soda Cause Trademark Confusion, Attorneys Say, 92 BNA’s Pat., Trademark, & Copyright J. 1353, 1354 (2016).

 

Samantha Cirillo

In June 2015, California passed a new law barring religious and personal-belief exemptions from the state’s existing mandatory immunization law.[1] Beginning at the start of the 2016 school year, unvaccinated children may only enroll in school with a medical waiver from a licensed physician. [2] While approximately 30 states have removed the personal-belief exemption, California has become one of only 3 states, along with West Virginia and Mississippi, to bar religious exemptions as well.[3] The new law, SB 277, will affect nearly 80,000 students that currently claim personal-belief exemptions. [4]

The law requires that as of July 1, 2016 newly enrolled children will need to be vaccinated absent a sufficient medical waiver.[5] If a child has filed a personal-belief exemption before January 1, 2016, they must comply with the law before reaching the 7th grade. [6] However, children currently in the 7th grade or higher will remain exempt.[7] Parents still have the ability to decline vaccines for their children, however, unvaccinated or partially vaccinated children must be homeschooled. [8]

The law was passed only months after a measles outbreak in California which started in Disneyland and spread to over 150 cases statewide. [9] Although there are many supporters who argue that SB 277 is a necessary protection for schoolchildren, the law has had its fair share of opposition. Parents argue that the law is violating their right to make decisions about their children’s health and safety. [10] The opposition towards vaccines has grown with the increasing number of parents asserting a link between vaccination and autism. [11]

Opponents of the law have held numerous protests and have used social media to raise awareness of the potential risks associated with vaccinations. Actor Jim Carrey, expressed his disapproval on twitter,  calling Governor Jerry Brown a “corporate facist” who is poisoning our children. [12] Carrey has often voiced his concern with the levels of mercury, aluminum and thimerosal in the mandatory vaccines. [13]

An additional argument that has gained a lot of attention in the recent months is whether SB 277 interferes with a child’s right to public education.[14] To address these concerns, a group of parents and a non-profit organization, Education 4 All, filed suit in the U.S. District Court claiming that SB 277 violates the state constitution. [15] The court has denied the petitioner’s’ request for a preliminary injunction which would allow the law to be suspended while the case is being decided. [16] The court stated that there is a long history of requiring children to be vaccinated before entering school and the law will only benefit and protect the community as a whole. [17]

Ultimately, parents may have the right to make health decisions for their own children. But, do they also have the right to put other students, as well as the community in danger as a result of their decisions?

­­

1  Patrick McGreevy and Rong-Gong Lin II, California Assembly approves one of the toughest mandatory vaccination laws in the nation, L?? A?????? T???? (June 25, 2015), http://www.latimes.com/local/political/la-me-pc-vaccine-mandate-bill-up-for-vote-thursday-in-california-assembly-20150624-story.html

2 Paul Sisson, Federal judge denies injunction against California vaccination law for schoolchildren, L?? A?????? T???? (Aug. 26, 2016), http://www.latimes.com/local/lanow/la-me-ln-california-vaccination-schools-20160826-snap-story.html

3 Melissa Healy, Pediatricians urge states to get tough on parents who don’t want to vaccinate their kids, L?? A?????? T???s (Aug. 29, 2016), http://www.latimes.com/science/sciencenow/la-sci-sn-pediatricians-vaccines-exemptions-20160828-snap-story.html

4 Phil Willon & Melanie Mason, California Gov. Jerry Brown signs new vaccination law, one of nation’s toughest, L?? A?????? T???? (June 30, 2015), http://www.latimes.com/local/political/la-me-ln-governor-signs-tough-new-vaccination-law-20150630-story.html

5 Id.

6  Id.

7 Id.

8 Paul Sisson, supra note 2.

9 Veronica Rocha, Jim Carrey calls Gov. Brown a ‘facist’ for signing new vaccination law, L?? A?????? T???? (July 1, 2015), http://www.latimes.com/local/lanow/la-me-ln-actor-jim-carrey-vaccines-20150701-story.html

10 Phi Willon & Melanie Mason, supra note 4.

11 Id.

12 Veronica Rocha, supra note 9.

13 Id.

14 Soumya Karlamangla, Opponents sue to stop California’s vaccination law, L?? A?????? T???? (July 5, 2016), http://www.latimes.com/local/lanow/la-me-ln-vaccination-lawsuit-20160705-snap-story.html

15 Id.

16 Id.

17 Paul Sisson, supra note 2.

Christopher W. Folk

Governor Cuomo released proposed regulations yesterday through the Department of Financial Services (“DFS”) that would require Covered Entities to hire Chief Information Security Officers (“CISO”) and perform a number of other cybersecurity tasks which seems like a good step towards enhanced cybersecurity, but is it really?

First, let us examine what entities are actually covered under these new “regulations.” Under § 500.1 Definitions

Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.

A person is further defined as any individual, partnership, corporation, association or any other entity.

So take the realm of persons and entities engaged in business in New York and extract out the piece that includes: banking, insurance, and financial services and you have the business sector that would be impacted by Cuomo’s regulations.

Now that we have identified the “who” let us examine the “what.”  Under these regulations, each covered entity must develop a cybersecurity program designed to “ensure the confidentiality, integrity, and availability of the Covered Entity’s Information Systems (“IS”).” The cybersecurity program must:

• identify internal and external cyber risks;
  • identify Nonpublic Information (“NpI”) stored by Covered Entity’s IS
  • identify the sensitivity of NpI
  • identify access to NpI
• use policies, procedures and also defensive infrastructure to protect IS from
  • either unauthorized access; or
  • other malicious acts
• detect Cybersecurity events;
• respond to identified or detected Cybersecurity events to mitigate;
• recover from Cyber events and restore normal operations and services; and
• fulfill all regulatory reporting requirements

Furthermore, a Cybersecurity Policy must be implemented and maintained and must minimally address the following:

• Information Security;
• data governance and classification;
• access controls and identity management;
• business continuity and disaster recovery planning and resources;
• capacity and performance planning;
• systems operations and availability concerns;
• systems and network security;
• systems and network monitoring;
• systems and application development and quality assurance;
• physical security and environmental controls;
• customer data privacy;
• vendor and third-party service provider management;
• risk assessment; and
• incident response

Some of the other activities the Covered Entities must undertake include:

• The designation of a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the cybersecurity program and enforcement of the cybersecurity policy;
• Penetration Testing and Vulnerability Assessments;
• Implementation and maintenance of an audit trail;
• Review and limitation of access privileges;
• Construct written procedures for in-house applications and procedures for assessing and testing commercial applications;
• conduct risk assessments;
• employ cybersecurity personnel and provide them with on-going training and updates related to cybersecurity
• develop written policies and procedures with respect to IS “accessible to, or held by, third parties…;”
• implement multi-factor authentication (“MFA”);
• impose time limits on data retention;
• provide and attend on-going training;
• encryption:
  • data-in-transit: encrypt unless infeasible, in that case, use appropriate alternative controls (for up to one year after regulation becomes effective);
  • data-at-rest: encrypt where feasible, where not, use alternative control for up to five years from the date regulation takes effect;
• develop a written incident response plan;
• report cybersecurity events to the superintendent if affecting NpI; send yearly compliance reports as well;
• Exemptions:
  • fewer than 1,000 customers in each of last three calendar years;
  • less than $5,000,00 in gross annual revenue for each of the last three fiscal years;
  • less than $10,000,000 in year-end total assets (calculated according to GAAP)
• Effective date: January 1, 2017

It certainly sounds like covered entities have been given a comprehensive list of to-do’s; however, when one looks more closely it becomes clear that the devil is in the details (or rather the lack thereof).

At a very high level, one can look to previous statements by the Cuomo administration touting how business-friendly New York is and how much the Government is doing to attract and retain businesses to the Empire State.  If you then look at these regulations in the context of a business climate you must consider what the true goals of the regulations are.  If the desire is to increase New York’s cybersecurity posture and to help both consumers as well as businesses to navigate these ever-changing and difficult technical areas then you have to consider — “was there perhaps a clearer, more efficient, and more compelling approach?”  These pages and pages of regulatory verbiage make it seem as though NY is committed to improving cybersecurity, by encouraging (mandating) that certain businesses move in this direction and that ultimately this helps to protect our personally identifiable information (“PII”).

If the Administration wanted to “help” make NY more cyber-secure then working with entities and providing resources and assistance would seem a more prudent approach than simply deciding to promulgate regulations through DFS that will impact a very narrow business sector.  While the insurance, financial, and banking sector is arguably critical and replete with NpI and PII singling this sector out merely because they are licensed and can be controlled by DFS doesn’t serve the greater purpose.  The Administration should be building relationships and helping small businesses, new businesses, existing businesses to adopt sound cybersecurity policies and to be able to do so without having to bring in expensive outside expertise.  The reality is that once you couple the sectors not covered by these regulations with those that are able to exempt out, you end up with a significant number of entities and persons that have access to, use, and retention of PII and that lack the technical expertise and the resources to adequately protect this PII.

 

Issues: CISO Mandate

According to a blog by the NCX Group “The Real Reason why Organizations aren’t hiring CISOs” CISOs are often perceived as the holy grail, having a mix of technical as well as business skills, while being able to single-handedly thwart attacks, maintain a constant state of vigil in an ever-changing vulnerability paradigm and bring bottom-line value to an organization.  Furthermore, a recent article in Forbes “Top U.S. Cybersecurity Salaries Rise to $420,000” notes that the average salary for a CISO in New York City is $406,000.  Thus, even if some of these entities were to use a virtual CISO (“vCISO”) or a virtual Security Operations Center (“vSOC”) the outlay is likely to be significant and to what end?  Hiring a CISO or contracting with a vCISO is one small piece of the pie, there is still an inordinate amount of legwork required to assess the current state of Information Security, to develop protocols and processes, to implement new security controls, user training, all of these are very real and direct hits to the bottom line and if the result is that firms simply relocate across the Hudson to avoid these new regulations is that really a win for NY and for customers?

 

Issues: Third Parties

The regulations here require that NpI held by third parties doing business with the Covered Entity must include provisions within the contracts that include a number of cybersecurity provisions such as the third party must encrypt NpI data-at-rest and data-in-transit; must use Multi-Factor Authentication; third party must warrant that the service or product is devoid of any malware or other mechanisms that might impair the IS or NpI of the covered entity; and the Covered Entity shall have the right to perform cybersecurity audits of the third party service provider.

This is extremely problematic.  Consider, the case of a Covered Entity that has been using Amazon Web Services (“AWS”) for its hosting and cloud computing needs.  Once these new regulations are implemented the Covered Entity must execute a new agreement with AWS which includes the aforementioned clauses.  Unfortunately, the Covered Entity is going to be looking for a new service provider because AWS is not going to rewrite their boiler-plate contracts for a small Fortune 1000 covered entity. Even in the case of a Fortune 100 company, AWS is unlikely to execute a contract whereby they allow a customer to perform cybersecurity audits against AWS systems.  In the vast majority of these cases, the third party is not going to be on parity with the Covered Entity and is going to have an unfair bargaining position. Thus the Covered Entity will be faced with moving to a smaller third party that has some flexibility in their contract provisions, relocating these services back in-house, or will simply fail to comply.  Any of those scenarios seems replete with cybersecurity issues.

 

Issue: Encryption

Under these regulations, NpI that is deemed “infeasible” to encrypt will be exempt for a period of 1 to 5 years (1 year for data-in-transit and 5 years for data-at-rest).  First of all, the proliferation of data-at-rest-encryption (“DARE”) runs counter with the regulations that would allow data-at-rest to remain unencrypted for up to five years after this regulation takes effect.  While in-flight data which can also be encrypted by any number of either open-source or commercial means must be encrypted no later than one year after the regulations are implemented.  How does this disparity further cybersecurity goals?  What is the value of encrypting NpI while it is being transmitted and then allowing it to remain unencrypted at either end or whenever at-rest?  As someone looking for exploits, this advises the world to focus on data-at-rest knowing that there is a strong likelihood that it will be sitting around unencrypted whereas data moving through the network is likely going to be more difficult to correlate and exfiltrate.

 

Summary

If New York actually wants to improve the cybersecurity climate and remain business-friendly, then the creation of a NY-CISO and a NY Security Operations Center that is tasked with helping entities develop and adopt wise cybersecurity policies is more likely to yield positive results and a faster return on investment.  In truth, the larger entities that would be subject to the DFS regulations already have or are in the process of adding a CISO and they understand that their stakeholders demand at least basic cybersecurity hygiene.  Consequently, it is likely that all of the time and effort that went into the development of these regulations, the press releases, the “Victory for NY Cybersecurity” speeches, could have been devoted to building a team that could actually go out and assist businesses and individuals rather than just creating feel-good, do-little verbiage laden regulations [Editor’s Note: the author acknowledges that he has no data with respect to the cost incurred to develop and promote these regulations.  However, the author posits that this effort cost something and that these resources would have been better spent doing rather than drafting].

 

Consider a Different Approach

Create the NY-CISO, implement a team that will work alongside entities to help them move to a cyber-secure posture.  Help businesses across NY, not just the big businesses in New York City.  Build a cybersecurity cooperative that encourages information sharing and rewards rather than punishing businesses for initiating contact and securing PII.  Provide NY businesses with the same liability relief as businesses enjoy under the Cybersecurity Information Sharing Act (“CISA”) of 2015 (entities that share information are shielded from liability that arises as the result of a data breach).  Cybersecurity should be viewed as a basic function of the State and as such, the State should create an agency or department that is equipped with handling cybersecurity matters and is able to improve the NY cybersecurity climate in both the public and private sectors.  If we learned anything from the OPM Data Breach it is that the public sector is not, and should not be exempt from cyber-hygiene and cybersecurity policies and protocols.  The banking, insurance, and financial services industries are not the only ones that use and retain PII.  Therefore, we need to tackle cybersecurity across the spectrum and not in the myopic view of DFS’s definition of covered entities.  The goal should be to protect PII and any business that deals with PII should receive cybersecurity assistance to further the fundamental goals of the state. The cost of breaches for both consumers and businesses is enormous and it is therefore in New York’s best interest to invest in education, training, and assistance to make NY a leader in cybersecurity and a model for the Nation.  Rather than drafting legislation to mandate compliance and to determine “what” businesses need to do NY should invest in enhancing its industries which will foster increased business development and promote rather than prevent in-migration of people and businesses looking for a cyber-secure environment.