Category: Internet

ANOTHER TRILLION DOLLAR CASE:? TikTok Hit in MASSIVE CIPA Suit Over Its Business Model of Profiting from Advertising by Collecting and Monetizing User Data

Data privacy lawsuits are EXPLODING and one of our country’s most popular mobile app — TikTok’s privacy issues keep piling up.

Following its recent $92 million class-action data privacy settlement for its alleged violation of Illinois Biometric Information Privacy Act (BIPA), TikTok is now facing a CIPA and Federal Wire Tap class action for collecting users’ data via its in-app browser without Plaintiff and class member’s consent.

The complaint alleges “[n]owhere in [Tik Tok’s] Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that installs JavaScipt code into the external websites that users visit from the TikTok app which then provides TikTok with a complete record of every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked. “

Despite being a free app, TikTok makes billions in revenue by collecting users’ data without their consent.

The world’s most valuable resource is no longer oil, but data.”

While we’ve discussed before, many companies do collect data for legitimate purposes with consent. However this new complaint alleges a very specific type of data collection practice without the TikTok user’s OR the third party website operator’s consent.

TikTok allegedly relies on selling digital advertising spots for income and the algorithm used to determine what advertisements to display on a user’s home page, utilizes tracking software to understand a users’ interest and habits. In order to drive this business, TikTok presents users with links to third-party websites in TikTok’s in-app browser without a user  (or the third party website operator) knowing this is occurring via TikTok’s in-app browser. The user’s keystrokes is simultaneously being intercepted and recorded.

Specifically, when a user attempts to access a website, by clicking a link while using the TikTok app, the website does not open via the default browser.  Instead, unbeknownst to the user, the link is opened inside the TikTok app, in [Tik Tok’s] in-app browser.  Thus, the user views the third-party website without leaving the TikTok app. “

The Tik-Tok in-app browser does not just track purchase information, it allegedly tracks detailed private and sensitive information – including information about  a person’s physical and mental health.

For example, health providers and pharmacies, such as Planned Parenthood, have a digital presence on TikTok, with videos that appear on users’ feeds.

Once a user clicks on this link, they are directed to Planned Parenthood’s main webpage via TikTok’s in-app browser. While the user is assured that his or her information is “privacy and anonymous,” TikTok is allegedly intercepting it and monetizing it to send targeted advertisements to the user – without the user’s or Planned Parenthood’s consent.

The complaint not only details out the global privacy concerns regarding TikTok’s privacy practices (including FTC investigations, outright ban preventing U.S. military from using it, TikTok’s BIPA lawsuit, and an uptick in privacy advocate concerns) it also specifically calls out the concerns around collecting reproductive health information after the demise of Roe v. Wade this year:

TikTok’s acquisition of this sensitive information is especially concerning given the Supreme Court’s recent reversal of Roe v. Wade and the subsequent criminalization of abortion in several states.  Almost immediately after the precedent-overturning decision was issued, anxieties arose regarding data privacy in the context of commonly used period and ovulation tracking apps.  The potential of governments to acquire digital data to support prosecution cases for abortions was quickly flagged as a well-founded concern.”

Esh. The allegations are alarming and the 76 page complaint can be read here: TikTok.

In any event, the class is alleged as:

“Nationwide Class: All natural persons in the United State whose used the TikTok app to visit websites external to the app, via the in-app browser.

California Subclass: All natural persons residing in California whose used the TikTok app to visit websites external to the app, via the in-app browser.”

The complaint alleges California law applies to all class members – like the Meta CIPA complaint we will have to wait and see how a nationwide class can be brought related to a CA statute.

On the CIPA claim, the Plaintiff – Austin Recht – seeks an unspecific amount of damages for the class but the demand is $5,000 per violation or 3x the amount of damages sustained by Plaintiff and the class in an amount to be proven at trial.

We’ll obviously continue to keep an eye out on this.

Article By Puja J. Amin of Troutman Firm

For more communications and media legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

Following the Recent Regulatory Trends, NLRB General Counsel Seeks to Limit Employers’ Use of Artificial Intelligence in the Workplace

On October 31, 2022, the General Counsel of the National Labor Relations Board (“NLRB” or “Board”) released Memorandum GC 23-02 urging the Board to interpret existing Board law to adopt a new legal framework to find electronic monitoring and automated or algorithmic management practices illegal if such monitoring or management practices interfere with protected activities under Section 7 of the National Labor Relations Act (“Act”).  The Board’s General Counsel stated in the Memorandum that “[c]lose, constant surveillance and management through electronic means threaten employees’ basic ability to exercise their rights,” and urged the Board to find that an employer violates the Act where the employer’s electronic monitoring and management practices, when viewed as a whole, would tend to “interfere with or prevent a reasonable employee from engaging in activity protected by the Act.”  Given that position, it appears that the General Counsel believes that nearly all electronic monitoring and automated or algorithmic management practices violate the Act.

Under the General Counsel’s proposed framework, an employer can avoid a violation of the Act if it can demonstrate that its business needs require the electronic monitoring and management practices and the practices “outweigh” employees’ Section 7 rights.  Not only must the employer be able to make this showing, it must also demonstrate that it provided the employees advance notice of the technology used, the reason for its use, and how it uses the information obtained.  An employer is relieved of this obligation, according to the General Counsel, only if it can show “special circumstances” justifying “covert use” of the technology.

In GC 23-02, the General Counsel signaled to NLRB Regions that they should scrutinize a broad range of “automated management” and “algorithmic management” technologies, defined as “a diverse set of technological tools and techniques to remotely manage workforces, relying on data collection and surveillance of workers to enable automated or semi-automated decision-making.”  Technologies subject to this scrutiny include those used during working time, such as wearable devices, security cameras, and radio-frequency identification badges that record workers’ conversations and track the movements of employees, GPS tracking devices and cameras that keep track of the productivity and location of employees who are out on the road, and computer software that takes screenshots, webcam photos, or audio recordings.  Also subject to scrutiny are technologies employers may use to track employees while they are off duty, such as employer-issued phones and wearable devices, and applications installed on employees’ personal devices.  Finally, the General Counsel noted that an employer that uses such technologies to hire employees, such as online cognitive assessments and reviews of social media, “pry into job applicants’ private lives.”  Thus, these pre-hire practices may also violate of the Act.  Technologies such as resume readers and other automated selection tools used during hiring and promotion may also be subject to GC 23-02.

GC 23-02 follows the wave of recent federal guidance from the White House, the Equal Employment Opportunity Commission, and local laws that attempt to define, regulate, and monitor the use of artificial intelligence in decision-making capacities.  Like these regulations and guidance, GC 23-02 raises more questions than it answers.  For example, GC 23-02 does not identify the standards for determining whether business needs “outweigh” employees’ Section 7 rights, or what constitutes “special circumstances” that an employer must show to avoid scrutiny under the Act.

While GC 23-02 sets forth the General Counsel’s proposal and thus is not legally binding, it does signal that there will likely be disputes in the future over artificial intelligence in the employment context.

Article By Steven M. Swirsky, Adam S. Forman, Nathaniel M. Glasser, Neresa A. De Biasi, and Ridhi D. Madia of Epstein Becker & Green, P.C.

For more labor law legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Attorney Mindfulness When Addressing Emails and Texts: ABA Formal Opinion Provides Ethical Guidance to Lawyers on Electronic Communications

In their roles as advisors, advocates, counselors, negotiators, and client representatives, lawyers communicate extensively though electronic means, particularly email and increasingly text messages. However, the fact that use of these electronic communication tools is commonplace in legal practice doesn’t mean that attorneys shouldn’t exercise caution when crafting their communications. The American Bar Association (“ABA”) Standing Committee on Ethics and Professional Responsibility published a formal opinion this month that advises lawyers to refrain generally from including their clients on emails and texts sent to opposing counsel.

ABA Formal Opinion 503 focuses on ABA Model Rule 4.2, often referred to as the “no-contact” rule. Under this model rule, a lawyer who is representing a client may not communicate about the subject of the representation with a represented person absent the consent of that person’s lawyer unless the law or court order authorizes such as communication. Most states’ codes of professional legal ethics draw heavily upon the ABA Model Rules, so many states have similar “no-contact” rules for lawyers.

The new formal opinion states that lawyers would not be deemed to violate ABA Model Rule 4.2 if they send a “reply all” response to a group email or text sent by an opposing counsel, even if that communication includes the opposing counsel’s client. The opinion states that, “[a]bsent special circumstances, lawyers who copy their clients on emails or other forms of electronic communication to counsel representing another person in the matter impliedly consent to a ‘reply all’ response from the receiving counsel,” the opinion said. “Accordingly, the reply all communication would not violate Model Rule 4.2.”

As a practical matter, Formal Opinion 503 provides a number of options to lawyers who wish to avoid creating an implied presumption of consent to such “reply all” communications from opposing counsel to their clients. These options include:

  • forwarding the electronic communication separately to the client without including opposing counsel as an addressee,
  • informing receiving counsel expressly and in advance that including the client on the electronic communication does not constitute a consent to a “reply all” response, or
  • sending the communication through other means (such as a mailed hard copy letter) where different norms are in place regarding responding to all addressees.

The full text of ABA Formal Opinion 503 is available here.

Article By Electronic Discovery at K&L Gates

For more law office management legal news, click here to visit the National Law Review.

Copyright 2022 K & L Gates

Buying, Selling, and Investing in Telehealth Companies: Navigating Structural and Compliance Issues

A multi-part series highlighting the unique health regulatory aspects of Telemedicine mergers and acquisitions, and financing transactions

Investors in the telehealth space and buyers and sellers of telehealth companies need to account for a set of health regulatory considerations that are unique to deals in this sector. As all parties to potential telehealth transactions analyze their long term role in the telehealth marketplace, two of the central issues to any transaction are compliance and structure – both in terms of structuring the telehealth transaction itself and due diligence issues that arise related to a target’s structure.

The COVID-19 pandemic, combined with strained health care staffing and provider availability, have accelerated the growth of the telehealth, and start-ups and traditional health systems alike are competing for access to patient populations in the telehealth space. However, as we adjust to life with COVID-19 as the norm, the expiration of the federal Public Health Emergency (PHE) looms, and the national economy contracts, we expect that the remainder of 2022 and into 2023 will see consolidation as the telehealth market begins to saturate and the long-term viability of certain platforms are tested. Telehealth companies, health systems, pharma companies and investors are all in potential positions to take advantage of this consolidation in a ripening M&A sector (while startups in the telehealth space continue to seek venture and institutional capital).

This is the first post in a series highlighting the unique health regulatory aspects of telehealth transactions. Future installments of this series are expected to cover licensure and regulatory approvals, compliance / clinical delivery models, and future market developments.

Telehealth Transaction Structure Considerations

The structure of any given telehealth transaction will largely depend on the business of the telehealth organization at play, but also will depend on the acquirer / investor. Regardless of whether a party is buying, selling or investing in a telehealth company, structuring the transaction appropriately will be important for all parties involved. While a standard stock purchase, asset purchase or merger may make sense for many of these transactions, we have also seen a proliferation of, affiliation arrangements, joint ventures (JV), alliances and partnerships.  These varieties of affiliation transactions can be a good choice for health systems that are not necessarily looking to manage or develop an existing platform, but instead are looking to leverage their patient populations and resources to partner with an existing technology platform. An affiliation or JV is more popular for telehealth companies operating purely as a technology platform (with no core business involving clinical services being provided). For parties in the traditional healthcare provider sector that provide clinical services, an affiliation or JV, which is easier to unwind or terminate than a traditional M&A transaction, can allow the parties to “test the waters” in a new, combined business venture. The affiliation or JV can take a variety of forms, including technology licensing agreements; the creation of a new entity to house the telehealth mission, which then has contractual arrangements with the both the JV parties; and exclusivity arrangements relating to use of the technology and access to patient populations.

While an affiliation or JV offers flexibility, can minimize the need for a large upfront investment, and can be an attractive alternative to a more permanent purchase or sale, there can be increased regulatory risk. Entrepreneurs, investors, and providers considering any such arrangement should bear in mind that in the wake of the COVID-19 pandemic and proliferation of telehealth, the Office of Inspector General of the Department of Health and Human Services (HHS-OIG) has expressed a heightened interest in investigating so called “telefraud” and recently issued a special fraud alert regarding suspect arrangements, discussed in this prior post. Further, the OIG’s guidance on contractual joint ventures that would run afoul of the federal Anti-Kickback Statute (AKS) should be front of mind and parties should strive to structure any affiliation or JV in a manner that meets or approximates an AKS safe harbor.

Target Telehealth Company Structure Compliance

Where telehealth companies are providing clinical services, and are not purely technology platforms, structuring and transaction diligence should focus on whether the target is operating in compliance with corporate practice of medicine (CPOM) laws. The CPOM doctrine is intended to maintain the independence of physician decision-making and reduce a “profits over people” mentality, and prevent physician employment by a lay-owned corporation unless an exception applies. Most states that have adopted CPOM impose similar restrictions on other types of clinical professionals, such as nurses, physical therapists, social workers, and psychologists. Telehealth companies often attempt to utilize a so-called “friendly PC” structure to comply with CPOM, whereby an investor-owned management services organization (“MSO”) affiliates with a physician-owned professional corporation (or other type of professional entity) (a “PC”) through a series of contractual agreements that foster a close working relationship between the MSO, PC, and PC owner and whereby the MSO provides management services, and sometimes start-up financing. The overall arrangement is intended to allow the MSO to handle the management side of the PC’s operations without impeding the professional judgment of the PC or the medical practice of its physicians and the PC owner.

CPOM Compliance Considerations and Diligence for Telehealth Companies

A sophisticated buyer will want to confirm that the target’s friendly PC structure is not only formally established, but is also operationalized properly and in a manner that minimizes fraud and abuse risk. If CPOM compliance gaps are identified in diligence this may, at worst, tank the deal and, at best, cause unexpected delays in the transaction timeline, as restructuring may be required or advisable. The buyer may also request additional deal concessions, such as a purchase price reduction and special indemnification coverage (with potentially a higher liability limit and an escrow as security). Accordingly, a telehealth company anticipating a sale or fund raise would be well served to engage in a self-audit to identify any CPOM compliance issues and undertake necessary corrective actions prior to the commencement of a transaction process.

Below are nine key questions with respect to CPOM compliance and related fraud and abuse issues that a buyer/investor in a telehealth transaction should examine carefully (and that the target should be prepared to answer):

  1. Does target have a PC that is properly incorporated or foreign qualified in all states where clinical services are provided (based on the location of the patient)?
  2. Does the PC owner (and any directors and officers of the PC, to the extent different from the PC owner) have a medical license in all states where the PC conducts business (to the extent in-state licensure is required)? To the extent the PC has multiple physician owners and directors/officers, are all such individuals licensed as required under applicable state law?
  3. Does the PC(s) have its own federal employer identification number, bank account (including double lockbox arrangement if enrolled in federal healthcare programs), and Medicare/Medicaid enrollments?
  4. Does the PC owner exercise meaningful oversight and control over the governance and clinical activities of the PC? Does the PC owner have background and expertise relevant to the business (e.g., a cardiologist would not have appropriate experience to be the PC owner of a PC that provides telemental health services)?
  5. Are the physicians and other professionals providing clinical services for the business employed or contracted through a PC (rather than the MSO)? Employment or independent contractor agreements should be reviewed, as well as W-2s, and payroll accounts.
  6. Is the PC properly contracted with customers (to the extent services are provided on a B2B basis) and payors?
  7. Do the contractual agreements between the MSO and PC respect the independent clinical judgment of the PC owner and PC physicians and otherwise comply with state CPOM laws.
  8. Do the financial arrangements between the MSO, PC, and PC owner comply with AKS, the federal Stark Law, and corollary state laws and fee-splitting prohibitions, to the extent applicable?
  9. Is the PC owner or any other physician performing clinical services for the PC an equity holder in the MSO? If so, are these equity interests tied to volume/value of referrals to the PC or MSO (i.e., if the MSO provides ancillary services such as lab or prescription drugs) or could equity interests be construed as an improper incentive to generate healthcare business (e.g., warrants that can only be exercised upon attainment of certain volume)?

Telehealth companies considering a sale or financing transaction, and potential buyers and investors, would be well served to spend time on the front end of a potential transaction assessing the above issues to determine potential risk areas that could impact deal terms or necessitate any friendly PC structuring.

Article By Hannah E. Zaitlin, Mitchell D. Lindstrom, David S. Sanders, and Natasha Allen of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

The Do’s and Don’ts of Data Cleaning – Don’t Drown in Bad Data

Bad CRM data can compound exponentially, impacting marketing and business development. It’s essential to understand the scope of  your data problems and follow a plan for regular data cleaning.  

Have you ever heard the saying, “No man ever steps into the same river twice”? Because a river’s water is constantly flowing and changing, the water you step in today will be different from yesterday. The same is true for the data in your CRM system: people are constantly changing roles, relocating, retiring; companies are opening, closing, moving and merging.

On top of that, new data isn’t always entered correctly. As a result, a database with clean, correct information today will not necessarily be accurate tomorrow. Over time, this bad data can compound exponentially, resulting in ineffective marketing, events and communication campaigns because as your data degrades, you reach fewer members of your target audience.

For professional services firms, poor data quality in your CRM system can also translate into a decline in system adoption. Once your professionals see bad data, they won’t trust the system as a whole and ultimately may outright refuse to use it. This is why we stress the importance of ongoing data cleaning.

Data Cleaning Do’s and Don’ts

Simply put, data cleaning involves identifying incorrect, incomplete and/or dated data in your systems and correcting and enhancing it. If you have a large database with thousands, or hundreds of thousands, of records, the data quality process can seem daunting and overwhelming.

While there’s no magic bullet or quick fix for poor data quality, ignoring data problems until there’s a crisis is not a strategy. Good data quality requires ongoing effort that never ends. The good news is that this means you have forever to get better at it. So, start now. Begin by assessing the scope of your data quality issues. Then, because it’s not always cost-effective or even possible to clean all your data, start by focusing on the highest priority projects.

Identify and Prioritize Your Most Important Data

All contact records are not created equal. For instance, client data is typically more important than non-client data. Additionally, individuals who have recently subscribed to your communications or attended an event are more important than those who last interacted with your firm years ago. Whatever segmenting scenario you select, it’s important to find ways to divide your contact data into manageable pieces because it makes the process more manageable and allows you to better measure progress.

Eliminate Stagnant Records

Related to prioritizing your data, don’t be hesitant about removing records that have been inactive for an extended period. Search your system for contacts that have not been updated for a few years, are not related to or known by any of your professionals, are not clients or alumni, and have not opened a communication or invitation in two to three years. Chances are good these records are not only outdated but also may not be worth the resources it would take to update them. Identify these records and consider removing them from the system. Less mess in your database makes cleanup a bit more manageable.

Your Plan Is Your Life Preserver

Once you’ve prioritized subsets or segments of contacts, identifying and prioritizing your most common data errors can help you decide on the best way to tackle ongoing data cleaning. For example, if you have an important email that needs to be sent to clients, you need to focus on email addresses. Identify records that don’t have an email address, have incorrectly formatted email addresses or have bounced recently.

In addition, if there are contacts you haven’t sent a communication or invitation to for an extended period of time, it’s entirely likely that their email may no longer be valid. It’s important to regularly test emails on your lists because not doing so can cause you to be blacklisted by anti-spam entities or have your account blocked by your eMarketing provider.

Initial Cleaning Cycle

The best place to start your data cleaning cycle is with a contact and list verification and cleansing service such as TrueDQ. This service will evaluate your list data, identify potentially harmful “honeypot” email addresses and even automatically update many of your contacts with current, complete contact information. The data can then also be enhanced with additional missing information, such as industries and locations, to help with targeting and segmenting.

Rinse and Repeat

When one segment or list has been cleaned, move on to the next one – bearing in mind that what’s important on the next list may be different from the last one. For example, maybe you need to send a hard copy postal mailing, so it will be important to ensure the accuracy of physical mailing addresses rather than email addresses.

Bounces and Returns

One of the most common data quality failures at law and other professional services firms is ignoring bounced emails and returned hard copy mailings. Bounces and returns are real-time indicators that can help you keep on top of your data quality. Researching and correcting them is important because sometimes they involve important former clients who could potentially hire the firm again at their new company.

Returned hard mail will often include the forwarding address of the recipient, which should be corrected in your CRM. For emails, use a central email address to collect automatic email replies, since these frequently tell you when a recipient no longer works at an organization.

Ideally, data stewards should regularly review all bounces to take the onus off the professionals. However, it can also be helpful to generate reports on bounced communications and circulate them to professionals or their assistants who may be able to provide updated information – or will at least appreciate knowing which of their contacts have moved on or changed roles.

Finally, if your eMarketing and/or CRM system has a process for automatically isolating bounced records, be sure you have a reciprocal process that automatically reinstates bounced records when the email field is updated.

Prevent Invalid Data

There are multiple ways to encourage good data habits, depending on your system and method of contact entry. If your firm relies on manual data entry, implement a firmwide Data Standards Guide to inform users how data should be entered (e.g., does your firm spell out or abbreviate job titles?). It can also be helpful to use system validation rules wherever possible to require certain information in new records such as last name, city and email address to ensure your contacts are relevant.

Finally, regularly review newly added records for consistency and completeness. This process can reveal issues such as users who may require additional training on contact input best practices. It can also help to catch spam or other potentially dangerous entries that can sometimes flow into your database from online forms that are filled out by bots.

Never, Ever Stop

Just as rivers keep flowing, so does the data in your CRM system – and the data will always need cleaning to ensure that it is fresh. While this may feel like a relentless and burdensome task, never stop – just go with the flow –  because when you’re not regularly cleaning the data, your CRM “river” can become stagnant, and the more polluted it becomes, the longer the eventual cleanup will take.

Article By Christina R. Fritsch JD and Rachel Fields of CLIENTSFirst Consulting

For more business of law legal news, click here to visit the National Law Review.

© Copyright 2022 CLIENTSFirst Consulting

ADA Compliance for Law Firm Websites in 2022

Legal reasoning involves applying the law to the facts to determine the rights and duties of those involved in a situation. Lawyers frequently take the position that the application of rules should settle disputes and that policies will be considered, if at all, only when there is a high degree of uncertainty surrounding the applicability of the rule. The lawyer might take the position that it is always preferable to seek the result that would further the underlying policies, even if that result would be contrary to the clear language of the rules.

But what if no explicit rules currently exist?

That is the issue with website compliance under the Americans with Disabilities Act (ADA). The Act does not offer specific guidelines to follow; however, websites are expected to be easily accessible to everyone, including those who are disabled. The failure to create an ADA-compliant website could expose an organization to discrimination lawsuits, financial liabilities, and severe damage to its reputation.

What is the ADA?

The ADA compels certain businesses, including banks, hotels, restaurants, public transit, law firms, and others to make accommodations for people with disabilities. According to the National Law Review, the Act is divided into three parts:

  • Title I prohibits employers from discriminating against employees based on disability and requires them to provide reasonable accommodation to certain employees under specific circumstances.
  • Title II covers state and local governments.
  • Title III covers “places of public accommodation,” which the ADA does not define, but are generally private businesses or organizations that provide goods, services, facilities, privileges, or accommodations to the public. These places commonly include schools, restaurants, health care providers, social service agencies, law firms, and more.

The ADA is commonly associated with physical locations and the accommodations that certain businesses must make for people with disabilities, which include wheelchair accessibility, reserved parking, and service animals. Companies that fall under ADA Title I and operate 20 or more weeks per year with at least 15 full-time employees, or Title III – those that fall under the category of public accommodation – must be ADA-compliant.

Although physical “brick-and-mortar” locations are nearly always considered places of public accommodation, the debate is ongoing as to whether a business’s website is a place of accommodation. If so, the digital content must be accessible to all users.

A law firm website must be designed so that those who are disabled can access it easily to comply with ADA requirements. While there are no well-defined regulations that describe precisely what an ADA-compliant website should include, businesses that fall under ADA Title I or ADA Title III are required to develop a website that offers “reasonable accessibility” to people with disabilities.

Compliance Tools & Plugins

Because the ADA doesn’t offer specific guidelines for website compliance, many organizations follow the Web Content Accessibility Guidelines 2.0 (WCAG), updated to 2.1 in 2018. While WCAG isn’t a legal requirement, its requirements have been followed in the European Union and other nations since 1999 and still serves as a reference for businesses that want to improve accessibility to their website.

Under WCAG 2.1, website accessibility concerns generally fall into four groups. These include issues that are:

  • Perceivable – issues that affect users’ ability to locate and process the information on a website, e.g., many visually-impaired individuals use screen readers to distinguish between the text and the background to help them navigate online content.
  • Operable – challenges that impair users’ ability to navigate a site, e.g., functions and navigations such as online forms should be accessible via keyboard-only commands, and users who need additional time to complete them should be allowed to do so.
  • Understandable – users should be able to comprehend the information on the site, e.g., error messages that provide an explanation and directions for correcting an error should be offered.
  • Robust – can be interpreted by various devices and platforms according to the varying needs and abilities of users, e.g., the alt text that should pop up to let users know what it is when read by assistive technology when they hover over an image.

Here are more suggestions regarding what to include to help ensure ADA website compliance:

  • “Alt” tags for every media file and map
  • Descriptive HTML tags for online forms
  • Hyperlinks with descriptive anchor text
  • “Skip navigation” links on all website pages
  • Heading tags to organize text
  • Accessible PDF files
  • Subtitles, transcripts, and audio descriptions for videos
  • Accessible fonts for all applications
  • HTML tables with column headers, row IDs, and cell information
  • Captions written in English for audio files
  • Call-to-action buttons with easily accessible names and ARIA labels
  • A website accessibility policy
  • Easy to find contact information

Meeting these guidelines will make a firm’s website more accessible to those with vision or hearing impairments, as well as cognitive, language, or learning disabilities.

Court Rulings Regarding Website ADA Compliance

According to the American Bar Association (ABA), the number of accessibility-related lawsuits filed against websites has increased dramatically in recent years. Plaintiffs are basing these lawsuits on two legal theories:

  1. Title IIIs “equal access and general nondiscrimination mandate
  2. A requirement that places of public accommodation must provide auxiliary aids and services as necessary (for no extra charge)

Although neither Title III nor its regulations mention websites and mobile applications, the phase “auxiliary aids and services” includes “accessible electronic and information technology,” which covers websites and mobile apps.

ADA Title III Lawsuits Filed Each Year Graph
Image by Seyfarth via adatitleiii.com

A recent ABA analysis of court filings related to ADA website compliance found:

  • Federal courts across the country were inundated with more than 8,000 website accessibility lawsuits between 2017 and 2020.
  • In 2020, three states – New York, Florida, and California – brought more than 85 percent of all the ADA website compliance lawsuits.
  • Since 2018, website and mobile app accessibility disputes have accounted for approximately 20 percent of all ADA Title III cases initiated in federal courts, which now regularly exceed 10,000 suits each year.

These statistics do not consider a significant number of website and mobile app cases pursued in state courts, cases settled before filing in court, and DOJ enforcement proceedings that are resolved prior to court filing.

Here are some examples of court rulings related to ADA compliance and websites:

Gil v. Winn-Dixie Stores Inc.

In June 2107, a Florida court ruled in favor of a blind plaintiff who brought an ADA violation lawsuit against Winn-Dixie. The man claimed that aspects of the supermarket chain’s site weren’t compatible with screen readers, leaving him unable to order his medications online or download rewards cards. The trial court agreed that the website was inaccessible to those with impaired vision and ordered that it be brought into compliance with the WCAG 2.0 Level AA.

Although Winn-Dixie complied with the court order, in April 2021, the Eleventh Circuit Court of Appeals overturned the trial court’s decision, finding that Winn-Dixie was not in violation of the ADA because it did not need accessibility aids to conduct business. After that, however, Winn-Dixie posted an accessibility statement on its website that commits to adhere to WCAG 2.0 AA by using testers from the disability community to check the accessibility of their website periodically.

Robles v. Domino’s Pizza

Domino’s Pizza lost a website accessibility lawsuit in 2019 after years of exhaustive litigation when a federal district court in California granted the plaintiff’s motion for summary judgment after it determined that the website was indeed not fully accessible. The court ordered Domino’s to make its website compliant with the WCAG 2.0 to connect customers to the goods and services of Domino’s physical restaurants.

The court held that the ADA applied to Domino’s website and app because the Act requires places of public accommodation, like Domino’s, to offer auxiliary aids and services to make visual materials available to blind individuals. Although customers primarily access the Domino’s website and app outside its physical restaurants, the court found that the Act pertains to the services of public accommodation, not services in a place of public accommodation.

Andrews v. Blick Art Materials

In 2017, Victor Andrews, who is blind, filed a lawsuit against Blick Art Materials for website inaccessibility. Andrews alleged that because Blick’s website was inaccessible, he could not navigate and purchase items on the defendant’s website independently. When Blick made a motion to dismiss the lawsuit, Judge Jack Weisenstein denied it and made this statement:

Today, internet technology enables individuals to participate actively in their community and engage in commerce from the comfort and convenience of their home. It would be a cruel irony to adopt the interpretation of the ADA espoused by Blick, which would render the legislation intended to emancipate the disabled from the bonds of isolation and segregation obsolete when its objective is increasingly within reach.

The ruling in this case and others illustrates that businesses need to consider their websites equivalent to a place of public accommodation, which puts them at risk of being sued, even without explicit web accessibility regulations.

Latest DOJ Guidelines

In 2010, the Department of Justice (DOJ) launched a rulemaking process to address ADA requirements for website accessibility, including technical standards for accessible websites. However, that effort stalled for seven years during the Obama administration (even though the administration continued to pursue investigations and enforcement actions against businesses with inaccessible websites).

The Trump administration abandoned the process to interpret the ADA entirely in 2017. In 2018, the DOJ revealed that it would not give official guidance regarding website accessibility under the Act, releasing this statement:

The Department is evaluating whether promulgating regulations about the accessibility of Web information and services is necessary and appropriate. Such an evaluation will be informed by additional review of data and further analysis. The Department will continue to assess whether specific technical standards are necessary and appropriate to assist covered entities with complying with the ADA.

Since the DOJ’s withdrawal, the number of lawsuits involving website accessibility increased dramatically, raising awareness regarding website accessibility among businesses but also causing confusion surrounding what features an ADA-compliant website should include. As a result, numerous website accessibility consulting companies emerged promising inexpensive solutions. However, some have been challenged in court.

In June 2018, some bipartisan members of the U.S. House of Representatives sent a letter to Attorney General Jeff Sessions encouraging the DOJ to release clear website accessibility regulations to diminish the unclear nature of current legislation. On September 25, 2018, the DOJ responded by stating that, at this time, the DOJ would not be issuing web accessibility regulations under the ADA: “The Department has consistently taken the position that the absence of a specific regulation does not serve as a basis for noncompliance with a statute’s requirements.”

In March 2022, the DOJ issued further web accessibility guidance under the ADA. The “new” guidance references both the WCAG – which are voluntary – and Section 508 standards, which set standards for federal websites, and indicates that the DOJ supports the notion that sites of public accommodation must be accessible, and in the absence of explicit regulations, websites can be flexible in how they choose to comply with the ADA’s requirements. However, the guidance does not clarify what such flexibility or choice entails and– not necessarily the direction regulation-seekers are looking for, since it provides no substantially new information regarding the vagueness of website accessibility requirements under the ADA.

Final Thoughts

As accessibility regulations for websites remain unclear, it can be easy for organizations to assume that they cannot be sued for noncompliance. However, with no specific standards to follow, law firms and other businesses must do their best to interpret the ADA, practice website accessibility as they see fit, and try to avoid website accessibility-related lawsuits.

One more thing to consider: ambiguity runs both ways, and even though an organization might think its website is accessible, a disabled person might think otherwise, providing the grounds for a lawsuit. Organizations aren’t granted immunity simply because of a lack of clarity in legislation. Instead, uncertainty allows for interpretation by anyone, including the courts.

This article was authored by Jan Hill of Lawmatics.

For more business of law legal news, click here to visit the National Law Review.

©2022 — Lawmatics

Actual Malice in the Age of #fakenews

Public figures are fighting back against fake news.

In the most recent headline from the world of celebrity defamation cases, E. Jean Carroll is suing former President Trump for statements he made after she accused him of sexual assault. In a 2019 book and excerpt in New York magazine, Carroll, a longtime advice columnist for Elle magazine, accused Trump of sexual assault in the mid-1990s. Trump responded that Carroll was “totally lying” and not his “type.” Carroll sued Trump for defamation, claiming his statements had harmed her reputation. But Carroll—like all public figure defamation plaintiffs—has an uphill battle before her. To succeed, Carroll will have to prove that Trump’s statements were false, and—because Carroll is a public figure—she will also have to show that Trump acted with “actual malice.” The actual malice standard often proves to be too high a threshold for most public figures to cross, and most cases are lost on that prong—regardless of whether the statement was false. In fact, Johnny Depp was one of the few public figures in recent years to win a defamation suit.

So, what would it mean if the actual malice requirement was rescinded?

The seminal decision in New York Times Company v. Sullivan and its progeny are the backbone of defamation law in this country. These cases hold that public officials and public figures claiming defamation must prove that the allegedly defamatory statement was made, “with knowledge that it was false or with reckless disregard of whether it was false or not.” In other words, with “actual malice.” On the other hand, a private figure, or one who has not sought out the limelight, need only show the false statement was made negligently. Prior to Sullivan, all plaintiffs fell under the negligence standard.

Public figures who must meet this “actual malice” standard fall into two categories: (1) all-purpose public figures, with “pervasive fame or notoriety,” like Johnny Depp; and (2) limited-purpose public figures, like Carroll, who, in the words of Gertz v. Robert Welch, Inc., achieve their status by “thrust[ing] themselves to the forefront of particular public controversies in order to influence the resolution of the issues involved.” The Court rationalized that both categories of public figures have “invite[d] attention and comment.” Moreover, because “public figures enjoy “greater access to the channels of effective communication” than private individuals, they are better able to “contradict the lie or correct the error.”

In today’s age of social media, do these justifications still hold true? When Sullivan and its progeny came down, there was a clear delineation between public and private figures. Typically, public figures had media access, and private figures did not. Today’s social media landscape muddles that line. We are all just one post, tweet, or TikTok away from becoming public figures.

In 2019, in a case strikingly similar to Carroll’s, the Supreme Court declined to review a defamation case filed by Kathrine McKee against Bill Cosby. In 2014, McKee publicly accused Cosby of forcibly raping her 40 years earlier. In response, Cosby’s attorney authored and subsequently leaked an allegedly defamatory letter. Excerpts of the letter were disseminated via the Internet and published by news outlets around the world. McKee argued that the letter deliberately distorted her personal background to “damage her reputation for truthfulness and honesty, and further to embarrass, harass, humiliate, intimidate, and shame” her. Applying Sullivan and its progeny, the Court concluded because McKee had “‘thrust’ herself to the ‘forefront’” of the public controversy over “sexual assault allegations implicating Cosby,” she was a “limited-purpose public figure” who needed to show actual malice—regardless of whether the statements about her were false.

In a lone dissent, Justice Clarence Thomas noted that “in an appropriate case, [the Court] should reconsider the precedents” requiring public figures to satisfy an actual-malice standard. Justice Thomas later double-downed on his proffer in his dissents in Berisha v. Lawson, and most recently in Coral Ridge Ministries Media, Inc. v. Southern Poverty Law Center. In Berisha, pointing to the shift in the media landscape since Sullivan, Justice Neil Gorsuch joined Justice Thomas in calling to review the Sullivan decision, noting our new media world “facilitates the spread of disinformation.”

According to these Justices, in recent years Sullivan has become less of a shield and more of a sword. The “actual malice” standard allows spreaders of conspiracy theories, false accusations, and fake news to be virtually untouchable. In an era where misinformation spreads like wildfire, has the actual malice standard allowed journalists to become sloppy and irresponsible? Under this legal standard a journalist is better off printing a story without fact-checking. In fact, failing to thoroughly investigate, standing alone, does not prove actual malice. If the Court abolished that standard, public figures would be like every other defamation plaintiff and would only need to show that the false statement was made carelessly. In other words, instead of the defendant knowingly printing misinformation, a plaintiff would only need to show that the defendant didn’t bother checking if the information was true or false before making it.

Under this precedent, for years reporters, and individuals alike have been shielded from consequences of publishing falsehoods about public figures. Removing the “actual malice” standard would have sweeping effects on journalists and news platforms, and would make reputable news organizations more vulnerable to attack and open to further scrutiny. But responsible journalists would still remain protected. Truth remains an absolute defense to a defamation claim.

Between 2018 and 2020 the number of defamation suits filed increased by 30%. With “fake news” on the rise, more individuals falling into the “public figure” category, and technology moving at warp speed, the Court may have no choice but to rethink Sullivan. While it is unlikely that that 50 years of settled precedent would be overturned, Sullivan just might, at the very least, be revisited.

Article By Melissa Sarsten Polito of Epstein Becker & Green, P.C.

For more litigation and legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.

Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Article By Ted Theisen and Jason Hale of Ankura

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Twelve Tips for Effective In-Person Networking in the Post-Pandemic World

I recently got on my first flight since the pandemic. I had been avoiding travel and conferences for many reasons, but it’s time to stop hiding at home and behind my computer screen.

Over the next few weeks I am speaking at several lawyer retreats and industry conferences – I’m excited but nervous.

I feel like a fish out of water (I accidentally let my TSA pre-check expire as well as my passport during Covid). It’s also the first time I’m leaving my pandemic puppies (I think it’s more traumatic for me than them).

I’m looking forward to seeing familiar faces and meeting new ones, and getting to know my clients in a setting other than Zoom because human connections are important and powerful.

In-person networking is essential – it is the secret sauce to building long-term and meaningful relationships. Those relationships can lead to opportunities of all kinds.

Even as an extroverted extrovert, I’m a bit rusty on networking.

I have been doing countless presentations to a computer screen since March 2020 and so being able to see and interact with real people is a much welcome change. A return to “normalcy.”

But after years of being an “expert” network, I’m not actually sure what to do when I actually see people again in a profesional group setting.

Do I hug? (I’m Italian, we like to hug) Shake hands? Fist bump? Just smile and nod? So glad we aren’t bathing in hand sanitizer anymore or cloroxing everything with which we come in touch.

Many of us are in the same position after the past few years, and we don’t feel like the same person we used to be. But that’s okay. Let’s collectively give ourselves a break (and some grace). We are all in the same boat – together.

Here are 12 tips for effective in-person networking I plan to use:

  1. Ask people about themselves more then I talk about myself.
  2. Practice active listening.
  3. Say their names a few times when talking to them – it helps me remember them and makes people like you more.
  4. Write notes after each meaningful conversation.
  5. Exit conversations gracefully.
  6. Follow up and connect on LinkedIn with new and renewed contacts.
  7. Put my LinkedIn QR code on my iPhone home screen to facilitate easy networking. Here’s how.
  8. Add new contacts to my CRM.
  9. Immerse myself in the programming. I am not going to check my email every second or do unnecessary work.
  10. Write a key takeaways blog and LinkedIn post from the sessions I enjoyed and tag the speakers.
  11. Create an email OOO message that supports my brand and business (see example from Paula Edgar).
  12. Have an intimate dinner with my clients/colleagues to get to know them better.

Do you have any tips for in-person networking in the post-pandemic environment?

Article By Stefanie M. Marrone of Stefanie Marrone Consulting

For more legal marketing and business of law news, click here to visit the National Law Review.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.