University of Texas at Austin Permanently Blocks TikTok on Network

On Tuesday, January 17, 2023, the University of Texas at Austin announced that it has blocked TikTok access across the university’s networks. According to the announcement to its users, “You are no longer able to access TikTok on any device if you are connected to the university via its wired or WIFI networks.” The measure was in response to Governor Greg Abbott’s December 7, 2022, directive to all state agencies to eliminate TikTok from state networks. Following the directive, the University removed TikTok from university-issued devices, including cell phones, laptops and work stations.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

For  more Cybersecurity Legal News, click here to visit the National Law Review.

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

The Scope of Attorney-Client Privilege Over Dual-Purpose Communications

The Supreme Court will evaluate the scope of attorney-client privilege when applied to communications shared between counsel and client that involve both legal and non-legal advice (“dual-purpose communications”). The decision of the highest court will have long-lasting implications for both business organizations and their retained counsels. The potential outcome of this case cannot be understated.

In this matter, the grand jury issued subpoenas to an anonymous law firm seeking documents related to the government’s investigation of the firm’s client. The law firm had provided both legal and business services to the client by advising on tax-related legal issues and preparing the client’s annual tax returns. When the law firm and client (“Petitioners”) withheld certain correspondence on the grounds that they were protected by attorney-client privilege and the work-product doctrine, the government moved to compel the production of those documents. The district court held that, while the correspondence contained a “dual-purpose,” they were not protected by attorney-client privilege because the primary purpose of the correspondence was to obtain business tax advice and not legal advice.

On appeal, Petitioners argued that the appellate court should apply the “because of” test rather than the “primary purpose” test. The “because of” test asks whether the dual-purpose correspondence was made because of a need for legal advice. The application of this test would expand the scope of attorney-client privilege and protect the correspondence at issue. The Ninth Circuit Court of Appeals, however, rejected Petitioners’ argument and affirmed the district court’s decision. Petitioners appealed the Ninth Circuit’s decision, and the Supreme Court granted certiorari on October 3, 2022.

The Supreme Court’s decision in In re Grand Jury 21-1397 will be of particular significance for in-house counsels who regularly provide both business and legal advice to their employers. For outside counsels, the outcome of this case will shed light on the standard to be applied for asserting privilege over dual-purpose communications. Oral argument occurred on January 9, 2023 at the Supreme Court.

For more litigation news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California

IP Rights in Virtual Fashion: Lessons Learned in 2022 and Unanswered Questions

There was a lot of talk and much hype about the “metaverse” in 2022. While some were skeptical and stayed on the sidelines to watch, many companies began offering virtual counterparts to their real-world products for use by avatars in the metaverse, including virtual clothing and accessories. For example, Tommy Hilfiger live-streamed a virtual fashion show on Roblox as part of the New York Fashion Week, and Decentraland hosted a Metaverse Fashion Week. Many companies also introduced NFTs into fashion product lines, such as Alo’s NFT offering.

The emergence of virtual goods has generated novel questions about how to protect and enforce IP rights in virtual fashion, and how those strategies might differ from IRL (meaning “in real life”) fashion. Although many questions remain unanswered, this article sets out important considerations for how companies might use various IP laws to protect virtual fashion goods in the United States.

I. DISTINCTIONS BETWEEN VIRTUAL FASHION AND IRL FASHION

Before diving into the IP discussion, it’s worth highlighting some distinctions between virtual fashion and IRL fashion outside the legal context, beyond the obvious fact that virtual fashion is worn by avatars. IRL clothing and accessories are worn primarily for protection against the elements, to conform to societal standards, to conform with a specific event’s dress requirements, to communicate via express messages on clothing or accessories, or to express oneself through the style or design of the clothing.

Virtual fashion can also serve each of those purposes for an avatar, and in some cases the person behind the avatar. But, because it is comprised of software code, the possibilities for virtual fashion utility are endless. For example, a particular piece of virtual clothing can also grant access to certain virtual spaces or events or give the avatar special powers within virtual worlds. If tied to an NFT (non-fungible token), virtual clothing can also provide benefits on and off virtual platforms, including exclusive access to sales promotions and IRL events.

Unlike IRL clothing, however, virtual fashion items currently face compatibility limitations, as the ability to use any virtual fashion item across all virtual platforms is unlikely.

To muddy the waters, as virtual and augmented reality technologies are becoming more popular, they can blur the lines between IRL and virtual fashion. For example, an IRL sweatshirt, when viewed through an appropriate lens, could feature virtual components.

II. IP PROTECTION FOR VIRTUAL FASHION

Because there are no IP laws specific to virtual fashion items, we must seek protection from laws that have traditionally applied to real-life clothing, namely, trademark, trade dress, copyright, and design patent. But the application of these laws can sometimes differ in the virtual context. Each is addressed below.

A. TRADEMARK

Trademark law protects source identifiers such as words, names, logos, and slogans. Obtaining trademark rights specifically in virtual goods, whether acquired through use in commerce or federal registration, is generally straightforward and similar to marks covering IRL fashion. This is evidenced by many marks that were registered in 2022 and specifically cover virtual goods.

That said, even if a company does not have trademark coverage specifically for its virtual goods, the owner of a trademark covering IRL fashion items should have strong arguments that such trademark rights extend to their virtual counterparts. To that point, the U.S. Patent & Trademark Office (USPTO) has refused registration of marks covering virtual goods and services based on prior registrations for the identical marks covering the corresponding IRL goods and services. See, e.g., the refusals of Application No. 97112038 for the mark GUCCI and Application No. 97112054 for the mark PRADA, each of which were filed by parties unrelated to the famous brands.

However, for purposes of enforcement outside of the USPTO context, if a defendant’s goods are virtual, it would have a stronger argument that such goods are not commercial products, but rather expressive works protected by the First Amendment. If a court accepts such an argument, it must then weigh the plaintiff’s trademark rights against the defendant’s First Amendment right of free expression, meaning it would be more challenging for a brand owner to enforce its trademark rights.

In this regard, please see our earlier alert regarding the Hermès v. Rothschild case, in which the court deemed NFTs tied to images of bags called “MetaBirkins” subject to First Amendment protection. [1] In denying Rothschild’s motion to dismiss, the court acknowledged in a footnote that virtually wearable bags (i.e., as opposed to virtual fashion that is displayable but not wearable) might not be afforded First Amendment protection. But we suspect defendants will argue even virtually wearable items should be afforded First Amendment protection, especially given that video games have received such protection. [2]

On balance, companies should consider seeking federal trademark registration specifically for virtual goods and services, for a few reasons:

More direct coverage could help a company in an enforcement action against infringing virtual goods, even if the defendant successfully argues it should be entitled to First Amendment protection. For instance, if the plaintiff has direct coverage for virtual goods, it may be easier to prove the defendant’s use of the mark was “explicitly misleading” under the Rogers test. [3]

Certain platforms featuring virtual fashion items may only honor a takedown request if the complainant company has a federal registration covering goods that are the same or nearly identical to the allegedly infringing virtual goods.

The registration will provide a presumption of valid trademark rights nationwide, and it may serve as a deterrent to third parties wishing to use confusingly similar marks in virtual worlds.

B. TRADE DRESS

U.S. trademark law also protects certain source-identifying elements of a product’s aesthetic design, configuration/shape, and packaging, often referred to as “trade dress.” To obtain trade dress protection, such elements must be (1) non-functional and (2) distinctive (either inherently or acquired through use). There are a couple of interesting nuances with respect to acquiring trade dress protection in the virtual context.

First, although we have not yet seen any case law specifically addressing this, companies will likely have stronger arguments that virtual shape or design elements (as opposed to IRL elements) are non-functional. Specifically, the non-functionality requirement means the relevant elements must not be essential to the use or purpose or affect the cost or quality of the article. For real-life fashion items, this can be difficult to meet due to the inherently functional nature of many aspects of clothing or accessories. However, because virtual fashion items are essentially software code with endless possibilities, in many instances the fashion item will not require any particular design or shape to function.

Second, some virtual fashion items could receive more favorable treatment from a distinctiveness perspective. The distinctiveness requirement has historically been a difficult barrier for protecting IRL fashion. Specifically, case law prior to 2022 established that, while packaging can sometimes be inherently distinctive, product design and configuration/shape can never be, meaning companies must prove such elements have acquired distinctiveness. Proving acquired distinctiveness is burdensome because the company must have used the elements extensively, substantially exclusively, and continuously for a period of time. Often, by the time a company can acquire distinctiveness in the design, the design is no longer in style. Or, if a design is popular and copied by third parties, it can be difficult for the company to claim it used the design substantially exclusively.

If, however, a virtual fashion item provides the user with benefits that go beyond merely outfitting the avatar, such as by providing access to other products or services, one might argue that those items should be construed as packaging, or some new category of trade dress, for such other products or services, in which case the elements could possibly be deemed inherently distinctive with respect to those other products or services.

That said, if a company already has trade dress protection for IRL fashion goods, it should have good arguments that the protection extends to any virtual counterpart. On the flipside, given the difficulties companies typically face in seeking trade dress protection in IRL fashion, to the extent they can obtain trade dress protection in a virtual counterpart more easily, perhaps it can argue the rights in any virtual goods should also extend to the physical counterpart. Or, if a company introduces a physical design and virtual design simultaneously, it could possibly acquire distinctiveness in both sooner, as the simultaneous use would presumably create greater exposure to more customers and reinforce the source-identifying significance of the alleged elements.

With respect to enforcement, like traditional marks, defendants are more likely to raise a successful First Amendment defense for any virtual products allegedly infringing trade dress. The Hermès case is again an example of this, as Hermès alleged infringement of both its BIRKIN word mark and the trade dress rights in the design of its handbags, and the court held that the defendant’s MetaBirkin NFTs were entitled to the First Amendment protection.

Finally, although obtaining trade dress protection is typically more difficult than obtaining trademark protection for traditional marks such as words and logos, companies should also consider seeking registration for trade dress in virtual goods, particularly for important designs that are likely to carry over from season to season, for the same reasons discussed in the trademark section above.

C. COPYRIGHT

Copyright protects original works of authorship that contain at least a modicum of creativity, which is a relatively low bar. However, copyright does not protect useful articles. In effect, for IRL fashion items, copyright generally extends only to those designs that would be entitled to copyright protection if they were extracted or removed from the clothing or viewed on a different medium, and not to the shape of the fashion item itself.

Like trade dress protection, copyright protection should provide companies with greater protection for virtual fashion items than would be available for IRL items, particularly because the software behind the virtual fashion can theoretically create an infinite number of clothing shapes that are creative and not necessarily “useful.” Nonetheless, if a virtual clothing item is merely shaped like its IRL counterpart that lacks originality (e.g., a virtual t-shirt shaped like a basic real-life t-shirt), it may also fail to qualify for copyright protection based on a lack of creativity.

Unlike trade dress protection, however, copyright protection arises immediately upon creation of the work and its fixation in a tangible medium of expression, so it can be a useful tool for protecting virtual fashion without having to spend the time and resources required to seek registration as trade dress and establish acquired distinctiveness.

In addition, unlike IRL fashion, a separate copyright protects the underlying source code for virtual clothing items, which could provide owners with an additional, though likely limited, claim against unauthorized source code copycats.

A copyright registration will provide owners with the ability to sue for copyright infringement, but companies should balance:

  • the benefits of seeking potentially broader copyright protection in virtual fashion items (apart from the code) than it would for IRL items with the risks of conceding that virtual fashion items are works of art entitled to First Amendment protection, which would make trademark and trade dress enforcement more difficult; and
  • the benefits of obtaining any copyright registration for source code with the benefits of keeping the source code secret (although the Copyright Office permits some redactions, significant portions are required to be deposited into the public record).

We are unaware of any 2022 case law specifically addressing copyright in virtual fashion. However, the following cases are worth watching:

  • Andy Warhol Found. for Visual Arts, Inc. v. Goldsmith[4]: In October 2022, the U.S. Supreme Court heard arguments regarding whether Andy Warhol’s “Prince Series” silk screen prints and pencil drawings based on a photograph infringed the photographer’s copyright, or whether they were sufficiently “transformative” to constitute fair use. The outcome of this case could affect a copyright owner’s ability to enforce copyrights against unauthorized digital reproductions of its work, especially if the original work is fixed in a physical medium (e.g., enforcing copyright in a physical clothing item against a third party’s digital reproduction).
  • Thaler v. Perlmutter[5]: Filed in June 2022, the plaintiff is suing the U.S. Copyright Office for refusing registration of an AI-created image because there was no human author. The outcome of this case will necessarily implicate virtual fashion incorporating any AI-generated work.

D. DESIGN PATENT

Design patents protect the ornamental appearance or look of a unique product. Specifically, they protect any new, original, and ornamental design for an article of manufacture. Traditionally, this law was interpreted to require that the article of manufacture is a physical or tangible product. Thus, in the fashion industry for example, one can file a design patent application directed to a unique shoe, handbag, or jewelry design. Historically, an image or picture would not qualify for design patent protection.

However, the USPTO is currently assessing design patents with respect to new technologies such as projections, holograms, and virtual and augmented reality. In December 2020, the USPTO issued a request for public comment regarding a potential rule change to the “article of manufacture” requirement and whether U.S. law should be revised to protect digital designs. Public opinion was mixed, and in April 2022, the USPTO issued a summary of this requested information.

Although the USPTO has not yet formally revised the rules, it has issued guidelines over the years that provide examples of non-physical products that could be protected by a design patent, suggesting changes may ultimately be coming to U.S. design patent law. For example, in 1995, the USPTO released guidelines for design patent applications claiming computer-generated icons. In general, to be eligible for protection, the computer-generated icon must be embodied in a computer screen monitor, or other display monitor. The USPTO has also issued guidance allowing type font to be protectable by design patents. However, it is still unclear whether the USPTO will set forth design patent guidance specific to digital designs or virtual fashion.

Notwithstanding the possibility of obtaining a design patent specifically on such virtual goods, courts have been reluctant to find that a virtual product infringes the design patent for an IRL product. For example, in 2014, in P.S. Products, Inc. v. Activision Blizzard, Inc.,[6] P.S. Products accused Activision of infringing its design patent directed to a stun gun by depicting a virtual weapon in its video game that P.S. Products claimed resembled its patent-protected IRL product.

The court found there was no infringement because “no ordinary observer would be deceived into purchasing a video game believing it to be plaintiffs’ patented stun gun.” This case may have come out differently if the virtual gun was sold separately from the video game and could be used across various platforms rather than being one component of a particular video game. Although there are still software compatibility restrictions for virtual goods, portability of virtual goods is likely to grow as technology evolves and companies respond to consumer demands.

While we wait for further USPTO guidance that ultimately may have application to virtual fashion, parties seeking design patent protection may consider simultaneously filing one application to protect the work as a digital design on a display screen, like a patentable computer-generated icon, and a second, traditional design patent application to protect the design as a tangible product. That said, companies should consider other options for protecting any designs created by AI, as the Federal Circuit Court of Appeals held in 2022 that AI cannot qualify as an inventor for purposes of obtaining a patent.[7]

III. Virtual Fashion in Practice

Contracts relating to virtual fashion are analogous to contracts for IRL fashion and should be structured accordingly. For instance, companies should ensure that contracts with IP contributors include an assignment of all IP rights, or at least a sufficiently broad license. In the virtual context, this includes rights to the software code itself. Likewise, downstream licensing should generally address ownership, licensee rights, and if applicable, confidentiality for any trade secrets in the source code. In addition, for both IP contributors and licensees, if AI software is used in any part of the creative process, companies should give thought to allocation of ownership.

In addition, some designers or marketing teams may prefer to encourage a brand’s customer base to copy its designs or create derivative works. Although this seems counterintuitive (especially to an IP lawyer), many players in the Web3 space encourage others to build off their own designs. For example, the Bored Ape Yacht Club (BAYC), known for issuing NFTs tied to images of apes, grants owners of its NFTs the rights to use the images of apes, including for commercial purposes.[8] For example, one purchaser of a Bored Apt NFT created a Bored Ape-themed restaurant.

In the virtual fashion context, if a marketing team wants customers to build off the brand’s virtual designs but wants to retain ownership of its own designs (and perhaps derivatives), it should implement standard licensing terms relating to ownership, customer licensee rights, and other provisions. However, it’s important to consider how the terms are presented and how customers indicate assent to maximize the prospects of enforceability.

From a business perspective, companies can also now use NFTs and smart contracts to receive automatic royalties in any downstream sales or licenses. And because NFTs use blockchain technology, which provides an immutable chain of title, third parties will be able to trace such designs to the original source. This means companies can encourage the sharing of designs and receive royalties in connection with the downstream licensing of designs tied to NFTs, and third parties can confirm that the designs are legitimate by reviewing the relevant blockchain ledger. Accordingly, although encouraging customers to use the brand’s designs may not be a model for every brand, there are some steps brands can take to protect the IP rights associated with them and reap financial benefits.

As virtual fashion items become more popular, companies are faced with uncertainties and novel questions regarding how to protect and enforce their IP rights. In 2022, some questions were answered, but many more remain open. Therefore, it is important to discuss strategies for protecting innovative virtual fashion with IP counsel.

FOOTNOTES

[1] Notably, on December 30, 2022, the Hermès court denied both parties’ motions for summary judgment, with an opinion to follow by January 20. A jury trial is scheduled to begin on January 30, 2023. Hermès International, et al. v. Mason Rothschild, 1:22-cv-00384-JSR (S.D.N.Y.).

[2] See, e.g., AM Gen. LLC v. Activision Blizzard, Inc., 450 F. Supp. 3d 467, 485 (S.D.N.Y. 2020).

[3] If a defendant’s unauthorized use of a mark is protected by the First Amendment, many courts use the Rogers test to balance the plaintiff’s trademark rights with the defendant’s First Amendment right of expression. This test looks at whether the defendant’s use of the plaintiff’s mark was artistically relevant and, if so, whether it was explicitly misleading. Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989).

[4] 11 F.4th 26 (2d Cir. 2021), cert. granted, 142 S. Ct. 1412 (2022).

[5] Case No. 1:22-cv-01564 (D.D.C.).

[6] 140 F. Supp. 3d 795, 802 (E.D. Ark. 2014).

[7] Thaler v. Vidal, 43 F.4th 1207, 1213 (Fed. Cir. 2022).

[8] We will save for another day a discussion of the recent lawsuit against BAYC and many celebrities for failing to disclose financial incentives when promoting the BAYC NFT collection, and instead focus here on IP protection. Adonis Real, et al., v. Yuga Labs, Inc., et al., 2:22-cv-08909 (C.D. Cal.). But companies should also ensure that influencers properly disclose any incentives and other material connections.

For more intellectual property legal news, click here to visit the National Law Review.

©2023 Pierce Atwood LLP. All rights reserved.

Top Legal News of 2022: A Review of the Most Notable and Newsworthy Thought Leadership from the National Law Review’s Contributors

Happy New Year from the National Law Review! We hope that the holiday season has been restful and rejuvenating for you and your family. Here at the NLR, we are wrapping up the second season of our legal news podcast, Legal News Reach. Check out episode seven here: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! A few weeks ago, we also announced the winners of our 2022 Go-To Thought Leadership Awards! Each year, around 75 recipients are selected for their timely and high-quality contributions to the National Law Review. This year’s slate of winners was particularly competitive – to see the full list, check out our 2022 National Law Review Thought Leadership Awards page.

As we look forward to a bright and busy 2023 for the legal industry, it is more prudent than ever to review the previous year and all that came with it. 2022 was a chaotic and monumental year for not only the legal profession, but for the world at large. The invasion of Ukraine, global supply chain issues, and the ongoing coronavirus pandemic were only some of the many challenges all industries and sectors faced. In the United States, companies and employers dealt with enormous changes at every level, including but not limited to the reversal of Roe v. Wade, shifting attitudes toward cannabis legalization, and ever-changing standards for COVID-19 vaccinations.

Read on below for some thought leadership highlights from this past year, and for a reminder of all that we’ve passed through in 2022:

January

Most prominently in 2022, the US Supreme Court handed down substantial rulings for coronavirus vaccine mandates, which affected not only healthcare workers but all employers across the country. With a 6-3 majority, SCOTUS stayed the Biden Administration’s OSHA Emergency Temporary Standard that applied to all private employers, but simultaneously ruled in a 5-4 majority that issued a 5–4 unsigned majority that vaccine mandates for medical facilities and medical workers can remain.

January also saw noteworthy changes to labor law in the United States, inviting a handful of significant standard changes for all employers. At the end of 2021 and early in 2022, the NLRB considered cases that altered the standard for determining independent contractor status, as well as the standard that established whether a facially neutral work rule violates Section 8(a)(1) of the National Labor Relations Act. These changes also paved the way for briefings on determining appropriate bargaining units.

Read January 2022’s thought leadership focusing on Labor and Employment law and the related Supreme Court rulings  below for more information:

Supreme Court Stays Private Vaccine Mandate; Upholds Requirement for Certain Healthcare Workers

On Again, Off Again Vaccine Mandates: What Should Employers Do Now?

NLRB Rings in the New Year by Inviting Briefing on Multiple, Far-Reaching Standards Impacting Employers

February

On February 24, 2022, Russia launched a large-scale ground invasion of Ukraine, leading to considerable damage and loss of life and throwing the geopolitical landscape into chaos. Both in February and in the months since, the Russia-Ukraine war has placed an extraordinary  strain on the global supply chain and businesses around the world, as the European Union, the United Kingdom, and the United States have continued to enforce sanctions and trade regulations. Companies must be careful to comply with these orders as the political landscape continues to change and learn how to juggle the dual headaches of the lingering COVID crisis and evolving Ukrainian war

Domestically, President Biden nominated Ketanji Brown Jackson to the US Supreme Court. Succeeding Justice Stephen Breyer, Judge Jackson graduated magna cum laude from Harvard University in 1992 and cum laude from Harvard Law in 1996 and has since served as a judge on the U.S. Court of Appeals for the District of Columbia Circuit. She is the first African American woman to serve on the United States’ highest court of law.

Read select thought leadership articles below for more information:

President Biden Nominates D.C. Circuit Judge Ketanji Brown Jackson to U.S. Supreme Court

Russian Invasion of Ukraine Triggers Global Sanctions: What Businesses Need to Know

Consequences from the Ukrainian Conflict

March

March of 2022 saw the long term  impacts from the military conflict in Ukraine emerge locally and around the world. Sanctions continued to affect businesses, leading to global supply chain slowdowns and difficulties in manufacturing and shipping and new immigration changes and challenges. In the US, the Securities and Exchange Commission “SEC” issued new and noteworthy regulations regarding Environmental, Social & Corporate Governance “ESG” and climate change disclosures for public companies. The Supreme Court also heard oral argument for a large slate of cases, perhaps most notably in ZF Auto. US v. Luxshare, Ltd. and AlixPartners v. The Fund for Prot. of Inv. Rights in Foreign States, which interpreted provisions of Title 28 of the US Code’s (“Section 1782”) reach in seeking US-style discovery from a interested party to a foreign proceeding and whether or not ection 1782 can be used to obtain key information for private international arbitrations.

Read key thought leadership articles published in March for more details:

SEC Issues Long-Awaited Proposed Rule on Climate Disclosures

U.S. Supreme Court Hears Oral Argument on Circuit Split Over Scope of 28 U.S.C. § 1782 for Obtaining Discovery in International Arbitrations

The Effects of the Military Conflict in Ukraine on Supply Contracts

April

In April of 2022, the Biden Administration made notable changes to the National Environmental Policy Act, better known as NEPA, which had been substantially altered under the Trump Administration. A number of key provisions were returned to their pre-Trump state in order to better center the administration’s larger focus on environmental justice. Also of note, a US court for the first time contested the Center for Disease Control’s  “CDC’s” travel mask mandate, on the grounds that it exceeded the CDC’s Statutory Authority under the Administrative Procedure Act “the federal APA”. This ultimately led to a vacating of the COVID travel mask mandate on a nationwide basis.

Elon Musk announced his intention to purchase Twitter in April of 2022, as well. Twitter ultimately adopted a shareholder rights plan, known as a poison pill, in hopes of preventingMusk’s hostile takeover. Poison pills are widely regarded as the an effective but a draconian anti-takeover defense available.

Read select  thought leadership articles below for more information:

Biden Administration Walks Back Key Trump Era NEPA Regulation Changes

Twitter Board of Directors Adopts a Poison Pill

Administrative Law Takeaways from the Federal Travel Mask Mandate Decision

May

On May 17th, the first case of Monkeypox in the United States was reported in Massachusetts. In response, the Environmental Protection Agency “EPA” and the federal government implemented a number of policy changes in hopes of preventing a wider spread, including the speedy authorization of anti-Monkeypox claims for certain registered pesticides and disinfectant products.

The SEC and administrative law at large received a considerable blow after the Fifth Circuit’s ruling in Jarkesy v. SEC. The Fifth Circuit Court held that the SEC in-house courts violated a series of constitutional protections, which may result in far-reaching impacts for how administrative bodies are used to regulate in the future. Additionally in May, the Senate confirmed Commissioner Alvaro Bedoya for the Federal Trade Commission “FTC”, shifting the balance of power back at the Commission in favor of the Democratic Party.

Read the following highlighted thought leadership articles published in May  for more information:

EPA Authorizes Anti-Monkeypox Claims for Pre-Designated Disinfectant Products

Fifth Circuit Holds That SEC Administrative Law Courts Are Unconstitutional

Big News at The FTC: Democrats Finally Get the Majority Back

June

In June of 2022, the Supreme Court released its decision in Dobbs v. Jackson, reversing Roe v. Wade’s 50-year precedent of ensuring abortion as a  protected right. Dobb’s is a  momentous decision and has resulted in a myriad of complex issues for employers, healthcare providers and individuals, including the updating of employee policies, healthcare provisions, ethical and criminal considerations for healthcare providers and the protection of personal data, and ultimately represents a massive shift away from women’s bodily autonomy in the United States. And the partial advance leak of the Dobb’s ruling, added to the myriad of concerns about the stability and public perception of the Supreme Court.

Other notable litigation and legislation in June included the passing of the Uyghur Forced Labor Prevention Act, subjecting the importers of raw materials from China to new enforcement provisions. The Supreme Court also ruled in West Virginia v. EPA, limiting the SEC’s ability to enforce ESG requirements on public companies. The West Virginia v. EPA ruling  presents a considerable obstacle for the Biden Administration’s ongoing climate goals.

Read select legal news  articles below for more information:

Employment Law This Week: SCOTUS Overturns Roe v. Wade – What Employers Should Consider [VIDEO]

Uyghur Forced Labor Prevention Act Enforcement Starts on Imports from China and on Imports with China Origin Inputs

Implications of West Virginia v. EPA on Proposed SEC Climate Rules

July

July of 2022 saw a great deal of changes for the Equal Opportunity Commission’s “EEOC’s” COVID testing guidance for employers. The largest change is determining if testing is needed to prevent workplace transmission and interpreting the business necessity standard under the American with Disabilities Act “ADA”.. The labor law landscape around the country also saw an increased focus on pay transparency laws – most notably, New York state passed a bill requiring employers to post salary or wage ranges on all job listings. Notably, this law is quite similar to one already in effect in New York City and Washington state, Colorado, and Jersey City.

Beginning most prominently in July, the cryptocurrency world also found itself under increased scrutiny by the federal government. Of note this month, the SEC filed a complaint against certain Coinbase employees, alleging insider trading and claiming that these employees had tipped off others regarding Coinbase’s listing announcements. This move was one of the more aggressive moves made by the SEC toward the digital asset industry.

Read select legal thought leadership articles published in July for more information:

EEOC Revises COVID-19 Testing Guidance for Employers

SEC v. Wahi: An Enforcement Action that Could Impact the Broader Crypto / Digital Assets Industry

Pay Transparency Laws Are All The Rage: Looks Like New York State Is Joining the Party

August

On August 12, 2022, the Inflation Reduction Act (“IRA”) was passed by Congress, representing enormous changes for industries across the country. Perhaps most notably, the landmark legislation contained new government incentives for the clean energy sector, creating tax incentives for renewable energy projects that previously did not exist. The Act also included 15% alternative minimum corporate tax and a 1% excise tax on stock buybacks to raise government revenue.

The Inflation Reduction Act also provided significant funding for tribal communities, including but not limited to the reduction of drug prices, the lowering of energy costs, and additional federal infrastructure investments. While the funding is not as significant as COVID relief from previous years and there are still some remaining hurdles, the IRA provides groundbreaking new opportunities for Native communities, including those in Alaska and Hawaii.

Read the select legal articles published in August for more information:

The Inflation Reduction Act: How Do Tribal Communities Benefit?

The Inflation Reduction Act: A Tax Overview

Relief Arrives for Renewable Energy Industry – Inflation Reduction Act of 202

September

In September of 2022, Hurricane Ian made landfall in the United States, caused substaintial property damage and loss of life despite preparations ahead of time. After addressing safety concerns, policyholders began reviewing their insurance policies, collecting documentation and filing claims. In addition to filing claims for property damage, corporate policyholders also filed claims for business interruption and loss of business income.

Lawsuits opposing the remaining COVID-19 vaccine mandates also continued throughout the month of September, exceeding 1,000 complaints nationally. Previously, lawsuits had largely targeted the Biden Administration, but additional focus was also directed toward large employers with vaccine mandates.

Of global significance, Queen Elizabeth II, the UK’s longest reigning monarch, passed away at 96 years old. Her funeral was held September 19, 2022, and was a national holiday in the United Kingdom marking the last day of public mourning.

Read following key thought leadership articles on Hurrican Ian, UK Bank Holiday due to the Sovereign’s passing and Employer’s COVID Mandate headaches  for more information:

Hurricane Ian – Navigating Insurance Coverage

Bank Holiday Announced for Her Majesty Queen Elizabeth II’s State Funeral

Challenges Against Employer COVID-19 Vaccine Mandates Show No Sign of Slowing

October

October saw forward movement in environmental justice, cannabis decriminalization, and Artificial Intelligence  “AI” regulation. The EPA launched their new Office of Environmental Justice and External Civil Rights, to work with state, local, and tribal partners providing financial and technical support to underserved communities disproportionately impacted by the ill effects of climate change. The EPA’s new office has 200 staff members across 10 regions and is expected to provide a unifying focus on civil rights and environmental justice for the EPA and federal government as a whole.

President Biden’s pardon of federal marijuana charges and mandate to review the plant’s Schedule I status signaled a shift in cannabis regulation, with the president urging state officials to follow his example and consider the contrast between wealthy cannabis business owners and those imprisoned for possession in the recent past.

Later in the month, the White House Office of Science and Technology Policy addressed the swell of artificial intelligence technology with their Blueprint for an AI Bill of Rights, which provides guidelines to prevent privacy violations, implicit bias, and other forms of foreseeable harm.

Read selected thought leadership articles below for more information:

EPA Launches Their New Office: What Does the Office of Environmental Justice and External Civil Rights Mean for Companies and ESG in the United States?

“Up in Smoke?” President Biden Announces Pardons and Orders Review of Cannabis Classification

The White House’s AI Bill of Rights: Not for the Robots

November

November was dominated by a nail-biting midterm election season, a cryptocurrency catastrophe, and NDA (Non Disclosure Agreement) reform. While the midterms did not result in a Red Wave as expected, Republicans were able to regain a small majority in the House of Representatives, with the Senate remaining in Democratic control.

The digital finance world was considerably less stable, with the second largest cryptocurrency trading platform, FTX, filing for bankruptcy three days after its lawyers and compliance staff abruptly resigned. The collapse brought into stark relief the importance of solidifying the cryptocurrency custody and insurance landscape.

Also of note, President Biden signed the Speak Out Act, rendering unenforceable nondisclosure and nondisparagement agreements signed prior to incidents of sexual harassment or assault. The law’s passage offers employers the opportunity to review their states’ more robust laws in this area and ensure clauses meant to protect trade secrets and proprietary information don’t inadvertently create issues for sexual misconduct claimants.

Read select  thought leadership articles below fora deeper dive:

2022 Midterm Election Guide

The Spectacular Fall of FTX: Considerations about Crypto Custody and Insurance

Nondisclosure and Nondisparagement Agreements in Sexual Harassment and Assault Cases: Speak Out Act Heads to President’s Desk

December

In December, the Federal Trade Commission (FTC) released their hotly anticipated “Green Guides” amendment proposals, intended to combat greenwashing amidst growing demand for environmentally friendly products. The amended Guides for the Use of Environmental Marketing Claims would impose stricter standards for the use of terms such as “recyclable,” “compostable,” “organic,” and “sustainable” in advertising and on packaging.

Meanwhile, Congress narrowly avoided a railroad worker strike by passing Railway Labor Act legislation affirming all tentative agreements between rail carriers and unions. The contracts included a roughly 24% increase in wages over 4-5 years, along with an extra day of leave. Biden promised to address paid leave further in the near future.

The National Labor Relations Board (NLRB) closed out 2022 with a number of impactful decisions favoring workers. Employees have expanded remedies for National Labor Relations Act violations and protection during Section 7 questioning, while employers have the burden of proof when seeking to expand micro-units or deny union protestors.

Read select legal thought leadership pieces below for more details:

Congress Votes to Impose Bargaining Agreement to Avoid Nationwide Railroad Strike

FTC Starts Long-Awaited Green Guides Review

NLRB Issues Flurry of Blockbuster End-of-Year Decisions (With More to Come?) (US)

Thank you to our dedicated readers and as always to our highly regarded contributing authors and our talented NLR editorial staff for working day in and day out to produce one of the most well read and reputable business law publications in the US.  Have a happy 2023!

Copyright ©2023 National Law Forum, LLC

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

Nineteen States Have Banned TikTok on Government-Issued Devices

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.
For more Cybersecurity Legal News, click here to visit the National Law Review.

TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Arbitration: In Kelly v. McClatchy Co., LLC, 2022 WL 1693339 (E.D. Cal.  May 26, 2022), the District Court denied the defendant’s motion to compel arbitration because the contractual relationship between the parties had terminated before the unwanted calls were made. Plaintiffs had originally signed defendant’s Terms of Service which bound them to an arbitration provision for all legal disputes. Plaintiffs then cancelled their subscriptions which subsequently ended the enforceability of the Terms of Service against them. However, plaintiffs then received unwanted calls from Defendant seeking service renewals which the court deemed were not covered by the arbitration clause, even under a theory of post-expiration enforcement.

ATDS: Following Facebook v. Duguid, 141 S. Ct. 1163 (2021), courts are still struggling to define an “automatic telephone dialing system,” and the Third Circuit weighed in through Panzarella v. Navient Sols., Inc., 2022 WL 2127220 (3d Cir. June 14, 2022).  The district court granted defendant’s motion for summary judgment on the grounds that plaintiffs failed to show that an ATDS was used to call their phones. The Third Circuit upheld the summary judgment ruling but did not decide whether the dialing equipment used constituted an “ATDS” under the TCPA. Rather, its ruling hinged on the fact that defendant’s dialer pulled phone numbers from its internal database, not computer-generated tables. As such, the Third Circuit found that even though the system may very well be an unlawful ATDS system under the TCPA, if it is not used in that way, defendants could not be held liable.

In an interesting move, the court in Jiminez v. Credit One Bank, N.A., Nco Fin. Sys., 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022), narrowed the definition of an “ATDS,” choosing to reject the Second Circuit approach in favor of the Third Circuit’s approach in Panzarella. Here, plaintiff alleged that defendant used a dialing system to send numerous calls without consent. The Second Circuit follows the majority view that, if a system used to dial numbers has the ability to store or generate random numbers, the call made violates the TCPA, even if the random dialing function is not actually utilized. But the court in Jiminez found the Third Circuit’s reasoning persuasive and applied it to the case, finding that plaintiff failed to show the dialing system was actually used in a way that violated the TCPA. It granted summary judgment to defendants on the TCPA claims because the evidence showed the numbers used were all taken from a pre-approved customer list, not generated from random dialing.

Similarly, in Borden v. Efinancial, LLC, 2022 WL 16955661 (9th Cir. Nov. 16, 2022), the Ninth Circuit also adopted a narrower definition of an ATDS, finding that to qualify as an ATDS, a dialing system must use its automation function generate and dial random or sequential telephone numbers. This means that a mere ability to generate random or sequential numbers is irrelevant, the generated numbers must actually be telephone numbers. Given the circuit split on this issue, it seems likely that the Supreme Court will eventually have to weigh in.

Notably, in May 2022, the FCC issued a new order which will target unlawful robocalls originating outside the country. The order creates a new classification of service providers called “Gateway Providers” which have traditionally served a transmitters of international robocalls. These providers are domestic intermediaries which are now required to register with the FCC’s Robocall Mitigation database, file a mitigation plan with the agency, and certify compliance with the practices therein.

Class Certification: In Drazen v. Pinto, 41 F. 4th 1354 (11th Cir. July 27, 2022), the Eleventh Circuit considered the issue of standing in a TCPA class action. Plaintiffs’ proposed settlement class included unnamed plaintiffs who had only received one unsolicited text message. Because the court held in an earlier case (Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019)) that just one unwanted message is not sufficient to satisfy Article III standing, it found that some of the class members did not have adequate standing. The district court approved the class with these members in it, finding that those members could remain because they had standing in their respective Circuit and only named plaintiffs needed to have standing. The Eleventh Circuit held otherwise and vacated the class certification and settlement in the case. It remanded, allowing for redefinition of the class giving all members standing.

Consent: Chennette v. Porch, 2022 WL 6884084 (9th Cir. Oct. 12, 2022), involved a defendant who used cell phone numbers posted on publicly available websites, like Yelp and Facebook, to solicit client leads to contractors through unwanted text messages. The court rejected defendant’s argument that plaintiffs consented to the calls because their businesses were advertised through these public posts with the intent of obtaining new business. Beyond that, the court also found that even though these cell phones were used for both personal and business purposes, the numbers still fell within the protection of the TCPA, allowing plaintiffs to satisfy both statutory and Article III standing.

Damages: In Wakefield v. ViSalus, 2022 WL 11530386 (9th Cir. Oct. 20, 2022), the Ninth Circuit adopted a new test to determine the constitutionality of an exceptionally large damages award. Defendant was a marketing company that made unwanted calls to former customers, soliciting them to renew their subscriptions to weigh-loss products. After a multi-day trial, a jury returned a verdict for the plaintiff with a statutory damages award of almost $1 billion. The Ninth Circuit reversed and remanded to the district court to consider the constitutionality of the award. While the district court’s test asked whether the award was “so severe and oppressive” as to violate defendant’s due process rights, the Ninth Circuit instructed it to reassess using a test outlined in a different case, Six Mexican Workers. The Six Mexican Workers test assesses the following factors in determining the constitutionality of the damages award: “1) the amount of award to each plaintiff, 2) the total award, 3) the nature and persistence of the violations, 4) the extent of the defendant’s culpability, 5) damage awards in similar cases, 6) the substantive or technical nature of the violations, and 7) the circumstances of each .” We are still awaiting that determination on remand.

Standing: In Hall v. Smosh Dot Com, Inc., 2022 WL 2704571 (E.D. Cal July 12, 2022), the court addressed whether plaintiff had standing under the TCPA as a cell phone plan subscriber where the text messages were only received by someone else on the plan; in this case, plaintiff was the subscriber and her minor son was the recipient of the unwanted text messages. The court granted defendant’s motion to dismiss for lack of standing because she could not show that status of a subscriber alone could convey adequate standing under Article III.

In Rombough v. State Farm, No. 22-CV-15-CJW-MAR, (N.D. Iowa June 9, 2022), the court evaluated standing under the TCPA based on a plaintiff’s number being listed on the Do Not Call list. It determined that being on the DNC was not an easy ticket into court, plaintiff needed to allege more than just having its number on the list. Rather, the plaintiff need have actually registered their own numbers on the list.

© 2022 Vedder Price
For more Cybersecurity and Privacy Law news, click here to visit the National Law Review.

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.