All I Want for Christmas is Effective Sports Governance

At the start of this year, following his appointment as Chair of the UK’s Department for Culture, Media, and Sport (“DCMS”), Damian Green MP put sports governance firmly on the agenda.

This commitment came after the publication of the Whyte Review in June 2022 (the “Review“), which was an independent report into allegations of mistreatment in the sport of gymnastics led by Anne Whyte KC.

Sport England’s CEO Tim Hollingsworth and UK Sport’s CEO Sally Munday, the two individuals who commissioned the report, provided a joint statement following the Review, which included a commitment to “not rest until [we] have a sporting system that fully champions and enables participant and athlete wellbeing”.

Sports governance is a multi-faceted issue; systematic failings cannot be solved overnight. Effective and comprehensive investigations are needed to uncover the existing issues before remediation can take place.

As such, this blog will lay out five top tips for ensuring that all goes to plan when conducting a sports investigation.

Tip 1: Have Policies In Place

Terms and conditions, policies and procedures are rarely updated and often overlooked. However, when issues arise, it is these terms and conditions, policies and procedures that are an immediate source of authority for standards of behaviour; they are your “dos” and “don’ts”.

Therefore, first and foremost, it is essential to have robust, fair and proportionate policies and procedures in place to guide the investigative process.

During a recent sport investigation it quickly became apparent that the sport had no definition of “bullying” even though that was the accusation levelled at an athlete. Some of the practical issues with this included uncertainty as to:

  1. whether an imbalance of power was a necessary ingredient of bullying;
  2. whether intent was a requirement of bullying; and
  3. what amounted to a “course of conduct”.

In the end, those investigating the allegations relied on a combination of the athlete code of conduct, analogous previous investigations, and the governing bodies’ social media guidance to piece together a definition.

This investigation into bullying is not an isolated incident and most of the recent complaints raised with Sport Integrity (UK Sport’s confidential reporting line and independent investigation service) relate to bullying, so to not have a universal definition of “bullying” was and is particularly troublesome.

Since this investigation, we have worked with National Governing Bodies (“NGBs”) to devise a uniform definition of “bullying”. Of course, some NGBs will require bespoke definitions to reflect the nature of their sport, but a reference point (and, over time, a precedent bank) will help both individuals and NGBs.

We would caution that, in an attempt ‘do the right thing’, sporting governing bodies can sometimes overcommit, leading to policies that are too onerous. An example includes allowing an automatic right to appeal if the complainant is not satisfied with the outcome, rather than requiring them to establish a basis for appeal. It comes from a good intention but can often be costly and time consuming.

Tip 2: Identifying the Right People to Handle the Investigation

A key issue to consider at the start of an investigation is not only (i) who is going to undertake the investigation; but also (ii) who will advise the governing body in respect of the investigation report.

In determining issue (i), thought must be given to whether the investigator has appropriate experience and whether they are, of course, truly independent.

But once the investigation has ended, the commissioning governing body does not just put the report into the top drawer, the recommendations within the report will need to be actioned. But often those recommendations may have legal consequences such as employment issues, data protection considerations, and defamations risks, to name but a few. We believe it is advisable for a governing body to instruct an external law firm from the outset so that they are able to receive independent advice while remaining separate from the investigation.

Tip 3: Nail the Terms of Reference

The terms of reference (“ToR”) set out the parameters of an investigation and provide something of a roadmap. Investigations often uncover facts or events which were not in contemplation at the outset, and so it is crucial that the ToR provides for such eventualities.

For an international rugby referee, it is standard practice to consider the “what if” situations. What if there is a thunderstorm? What if the crossbar falls down? What if the ball is stolen by a streaker? Referees want to be as prepared as possible when people turn to them for an answer – the same is true in an investigative setting.

Essential features of the ToR include:

  1. what will be investigated and what won’t;
  2. what happens if you discover something that isn’t covered;
  3. how do you amend the ToR; and
  4. who will provide what material and when.

Some less obvious matters for inclusion:

  1. how many times do you email someone before concluding that they have refused to comply;
  2. what are acceptable methods of contact;
  3. who is allowed to attend the meeting with the individual being interviewed;
  4. will you produce transcripts of meetings; and
  5. who will see the report.

Doing the legwork beforehand saves time, stress, and distress down the track.

Tip 4: Specialist Support to the Investigating Team

During one of our sporting investigations, it became clear that athletes in that particular sport liked technical jargon even more than lawyers. To ensure that key information is not hidden in opaque terminology, we have found it useful to involve people with relevant experience who can put factual sporting matters in layman’s terms.

Contact sports is a good example of this. Physical intimidation during training sessions seems at odds with most places of work, but when athletes are competing for a single spot at the Olympic Games, this can be part and parcel of their world.

Interviewing ex-athletes as part of the initial stages of an investigation not only allow us to understand the jargon, but also to understand the realities of the sport, the difference between male and female athletes, and when aggression transgresses into bullying.

Tip 5: Involve Data Privacy Experts

Data Privacy is a fast-moving area of law which requires careful consideration in the context of sports investigations. The approach to data is two-fold: how and what can I collect, and with who and how can I share it.

You must have a clearly identified purpose and an appropriate lawful basis for processing personal data, or be able to show that your processing fits within one of the narrowly defined statutory exceptions. Be aware that sharing personal data is a form of “processing”, so ensure that you have a clear purpose and lawful basis for sharing, and that the recipient (for example an expert) has a clearly stated purpose and lawful basis for receiving that data.

From a UK perspective, you (or someone with the relevant expertise) will need to be familiar with the relevant provisions of the UK General Data Protection Regulation 2018 and the Data Privacy Act 2018 to ensure compliance. Reference should also be made to any policies which may set out how employee data may be processed. In the first instance, you will need to ensure that you have a lawful basis for collecting and processing data. Additional care should be taken when you are processing criminal offences data – as is often the case in investigations – or any “special category” data revealing factors such as racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sex life or sexual orientation.

Data Protection Impact Assessments (DPIA) and Legitimate Interests Assessments (LIA) are now a reality of sporting investigations that should not be overlooked. Helpfully, in relation to “special category” and criminal offence data, UK data protection laws make express provision for processing where it is necessary to protect the integrity of a sport or a sporting event against dishonesty, malpractice or other seriously improper conduct, or failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for that sport or event. However, in each case it is essential that you involve experts to check that the factual situation justifies reliance on those provisions.

Summary

Sports organisations would be well served to address the issues highlighted above, particularly as their feet are often held to the fire by governments, sponsors, participants, and the general public on whether they have done enough to identify or remedy high profile matters.

This article was co-authored by Molly Mckenna.

Lawyer Bot Short-Circuited by Class Action Alleging Unauthorized Practice of Law

Many of us are wondering how long it will take for ChatGPT, the revolutionary chatbot by OpenAI, to take our jobs. The answer: perhaps, not as soon as we fear!

On March 3, 2023, Chicago law firm Edelson P.C. filed a complaint against DoNotPay, self-described as “the world’s first robot lawyer.” Edelson may have short-circuited the automated barrister’s circuits by filing a lawsuit alleging the unauthorized practice of law.

DoNotPay is marketed as an AI program intended to assist users in need of legal services, but who do not wish to hire a lawyer. The organization was founded in 2015 to assist users in disputing parking tickets. Since then, DoNotPay’s services have expanded significantly. The company’s website offers to help users fight corporations, overcome bureaucratic obstacles, locate cash and “sue anyone.”

In spite of those lofty promises, Edelson’s complaint counters by pointing out certain deficiencies, stating, “[u]nfortunately for its customers, DoNotPay is not actually a robot, a lawyer, or a law firm. DoNotPay does not have a law degree, is not barred in any jurisdiction and is not supervised by any lawyer.”

The suit was brought by plaintiff Jonathan Faridian, who claims to have used DoNotPay for legal drafting projects, demand letters, one small claims court filing and drafting an employment discrimination complaint. Faridian’s complaint explains he was under the impression that he was purchasing legal documents from an attorney, only to later discover that the “substandard” outcomes generated did not comport with his expectations.

When asked for comment, DoNotPay’s representative denied Faridian’s allegations, explaining the organization intends to defend itself “vigorously.”

© 2023 Wilson Elser

Locking Tik Tok? White House Requires Removal of TikTok App from Federal IT

On February 28, the White House issuedmemorandum giving federal employees 30 days to remove the TikTok application from any government devices. This memo is the result of an act passed by Congress that requires the removal of TikTok from any federal information technology. The act responded to concerns that the Chinese government may use data from TikTok for intelligence gathering on Americans.

I’m Not a Federal Employee — Why Does It Matter?

The White House Memo clearly covers all employees of federal agencies. However, it also covers any information technology used by a contractor who is using federal information technology.  As such, if you are a federal contractor using some sort of computer software or technology that is required by the U.S. government, you must remove TikTok in the next 30 days.

The limited exceptions to the removal mandate require federal government approval. The memo mentions national security interests and activities, law enforcement work, and security research as possible exceptions. However, there is a process to apply for an exception – it is not automatic.

Takeaways

Even if you are not a federal employee or a government contractor, this memo would be a good starting place to look back at your company’s social media policies and cell phone use procedures. Do you want TikTok (or any other social media app) on your devices? Many companies have found themselves in PR trouble due to lapses in enforcement of these types of rules. In addition, excessive use of social media in the workplace has been shown to be a drag on productivity.

© 2023 Bradley Arant Boult Cummings LLP

MAXIMUM PRESSURE: Stratics Networks Hit With Massive DOJ Complaint Related to RVM Use by Customers and The Heat is Really On Platforms Right Now

So just last month the covered the story of Phone Burner being absolutely destroyed by a recent FCC order directing carriers to stop carrying its traffic. It be came the most read story EVER on TCPAWorld.com.

This one might be even bigger.

Before I get to the punchline, bear with me for a second.

Ringless voicemail.

I have been saying for many years that these things are covered by the TCPA. The Courts have said it. The FCC has said it.

But the ringless voicemail providers, by and large, refused to get the message. As recently as late last year I still have people coming to me telling me that this platform or that service was telling them that the TCPA does not apply to ringless voicemail. And I have personally heard sales pitches within the last couple of years where a ringless voicemail provider told potential customers the TCPA does not apply to the technology.

Lies, lies and more lies. And I hate lies.

The argument for RVM not being covered by the TCPA is a dreadful one. Some lawyer–NOT ME– long ago prepared a white paper suggesting that because voicemail is a title III information service and not a title II communication service that, somehow, that means the direct drop process to leave a voicemail also wasn’t a communication. Its nuts. Totally irrational. And beyond that, it was just dumb.

There was a better rationale for the argument–that the messages traversed business class landlines and not cellular networks–but that argument, too, has been rejected in recent years.

Anyhoo, RVM are definitely covered by the TCPA and that is a fact that has been known for many years. But that did not stop one major RVM provider from–allegedly–allowing its users to blast folks without consent.

And here is where we get to the big news: On Friday the Department of Justice filed a massive complaint–on referral from the FTC–against a debt relief company that was allegedly violating the TSR by sending RVMs without consent and failing to include content required by the TSR in the message.

Please notice that the complaint was NOT just filed against the debt relief company. It was filed against Stratics Networks–the wholesale carrier that permitted the traffic and also, apparently, supplied the RVM platform that was used to send the messages. But the complaint was also filed against the intermediary VOIP service provider, Netlatitude, Inc.–and its president Kurt S. Hannigan personally (!),  that provided access to the debt relief company through Stratics (or perhaps vice versa.)

The actual wrongdoers were apparently a debt relief company called Tek Ventures, LLC, doing business as Provident Solutions and a marketing company hired by Provident–Atlas Marketing Partners, Inc.

A bunch of other players, including INDIVIDUALS are also named as the FTC and DOJ really came to play with a sledgehammer here.

Each of these companies (and people) are alleged to have done something a bit different wrong. And its worth seeing how the government is going after each member of the alleged illegal robocall ring.

Of most interest to me–and I suspect most of you–is the case against Stratics. Like Phone Burner, Stratics is a very well known platform out there. Big footprint. And it is perceived to be a fairly compliant player.

Out of the gate, some of the allegations of the Complaint seek to impose a MUCH broader set of requirements on a carrier than have ever been seen before. For instance, the DOJ complains:

  • Despite acknowledging in its terms and conditions of service that its customers must “obtain the prior written consent from each recipient to contact such recipient” “[w]here required by applicable law or regulation,” Stratics Networks did not have evidence of such consent and did not request or require that its customers submit such evidence;

  • Stratics Networks has access to the prerecorded messages its customers upload to its RVM platform and reserves the right to audit its customers’ accounts in its terms and conditions of service, but it does not conduct due diligence to ensure that the messages actually identified the seller or caller, or to prohibit the transmission of prerecorded messages that failed to do so, or to ensure that that the call recipient had given express consent to receive the call; and

  • Stratics did not “require[]” and “ensur[e] that users  obtain prior express written consent from recipients, scrub lists of uploaded phone numbers against the DNC Registry, or otherwise comply with the TSR as a condition of using the platform.

But, so what?

A carrier owes no duty to at law to review the content of messages sent over its network. Gees, it would be a huge violation of privacy if it did. And sure an RVM platform may have access to the voicemails that were uploaded but since when is it required to review those and provide compliance advice? That’s just plain nuts.

Further, the fact that Stratics required consent for users of its platform is plenty. Folks use AUPs and disclosures to assure their platforms are not being misused. Since when does the law require them to actually possess consent–or “require” and “ensure” compliance– before allowing someone to use their network? Since never. And its just nuts for the FTC and DOJ to suggest otherwise.

Outside of really extreme cases, a carrier is still just a carrier. And a platform is still just a platform. Sure there can be times when these companies are so involved with messages–or know (we’ll get to that) of abuses–such that they are responsible as if they had sent them. But in the ordinary course these folks have NO DUTY to ensure…. anything.

So I’m a bit perturbed by the insinuation that these allegations, alone, make Stratics blameworthy. They speak to duties that do not exist in the law. If the DOJ and FTC doesn’t like the current state of the law they should take it up with Congress (or, in the case of the FTC, start an NPRM process, hint hint.)

But other allegations are more damaging–particularly those related to the knowledge Stratics had about the use of its platform. And, here again, we see the ITG playing a big role.

Per the Complaint, “Stratics Networks received numerous Traceback Requests from USTelecom’s ITG alerting it to suspected illegal robocall traffic delivered via Stratics Networks’ RVM platform service and seeking its assistance in identifying the source(s) (i.e., upstream carrier or originating end-user) of these “likely illegal” robocalls, including over 30 such requests between August 2019 and February 2021.”

Now 30 requests may seem like a lot, but you have to keep in mind how active the ITG is. They’re firing off a ton of “tickets” every single day. So I’m not convinced that 30 tickets over a year and a half is really that big of a deal. Plus, these tickets are directed at the content of user messages traversing the Stratics network–it does not mean that any of these were actually Stratics customers. (BTW, the DOJ was kind enough to name a bunch of the ticket sources: “Atlas Marketing, Telecord, Telesero, Health Innovations, National Homebuyers, Elite Processing, Deltracon, Technest Limited, Shamoon Ahmad, Progressive Promoting, Nitzke Enterprize, Care Advocacy Solutions, and PubClub.” Hope your name isn’t in there!)

So, again, I don’t love the government’s case so far. But it does get stronger. For instance:

  • In some instances, even when Stratics Networks did identify the RVM customers responsible for these illegal robocalls, Stratics Networks allowed these RVM customers to open additional accounts and/or continue utilizing its RVM platform service for several weeks or months without suspending or terminating their RVM accounts.

  • In some instances, Stratics Networks did not suspend these RVM customers’ accounts until after it received a civil investigative demand from the FTC in November 2020 inquiring about prerecorded messages delivered using its RVM platform service.

Ok, now the government is getting closer. The case law is reasonably clear that where a carrier or platform knows of illegal traffic on its network it does need to take some action to prevent it. If Stratics allowed customers who were committing violations to open new accounts or run new campaigns that could be a problem, unless it did extra heightened diligence to assure compliance.

But now, the big allegations:

  • Several of US Telecom’s ITG’s Traceback Requests to Stratics Networks concerned robocalls delivered over Stratics Networks’ RVM platform as part of the Atlas Defendants’ debt relief telemarketing campaign, including Traceback Requests Stratics Networks received between April and June 2020. These Traceback Requests indicated that they concerned a “DebtReduction-Hardship” or “DebtReduction CoronaHardship” campaign, and they noted that the robocalls delivered prerecorded messages offering preapproved loans and did not identify the caller.

  • Notwithstanding Stratics Networks’ representation to US Telecom’s ITG in response to a April 29, 2020 traceback request that it “ha[d] taken immediate action and triggered a full investigation” into the Traceback Request and “also suspended traffic,” Stratics Networks permitted Atlas Marketing to continue using its RVM platform service to deliver millions more robocalls for over five more months;

  • After April 29, 2020, Stratics Networks permitted Atlas Marketing to use its RVM service to deliver more than 23 million additional ringless voicemail robocalls to American consumers.

Ok so Stratics allowed 23 million voicemails by Atlas after telling the ITG it would suspend its traffic. Now that could be a problem. Especially if those 23MM voicemails violated the TSR and TCPA (although that fact is, perhaps tellingly, left out of the complaint.)

Notice the timing here also. ITG tickets went out in April, 2020. A CID followed in October, 2020. And then the complaint was filed in February, 2023 two and a half years later.

So all of you carriers and platforms that have received ITG tickets followed by CIDs, keep this in mind. Even if a year or more has passed, the FTC might still be working the case.

So what did Netlatitude do wrong? Well this appears to be a volume play. Specifically the FTC is concerned that Netlatitude allowed Atlas to send “136,000 robocalls” using Stratics Networks’ SIP termination service on just two days in September 2020.

Again, I kind of want to shrug at that. While high volume traffic can be a red flag, there is ZERO requirement a carrier decline to carry traffic merely because there might be a lot of it.

Netlatitude also apparently received several ITG tickets but it is not clear that they had anything to do with Atlas. So I am very fuzzy as to why Netlatitude is in the case–except that Stratics apparently pointed the finger at Netlatitude and its President.

As to the debt relief companies, the claims here are wide and varied. First, there is a claim of straight consumer deception. They allegedly promised consumers they’d be out of debt in two years and that monthly payments would be used in a way that turned out not to be true. Ok. Makes sense.

Next they allegedly sent voicemails that did not identify the sender and sent calls to numbers on the DNC list without consent. Again, pretty straightforward.

They also allegedly received a fee prior to providing debt relief, which is also not permitted. So… if true, open and shut case. I think.

In the end the government is asking for a bunch of stuff. Most damaging for Stratics is the injunctive relief provision:

A. Enter a permanent injunction to prevent future violations of the TSR and the FTC Act by Defendants;

B. Award monetary and other relief within the Court’s power to grant;

C. Award Plaintiff monetary civil penalties for every violation of the Telemarketing Sales Rule; and

D. Award Plaintiff such other and additional relief the Court may determine to
be just and proper

Lots of big take aways here. We already knew that carriers and platforms can’t turn a blind eye to bad traffic on their networks, but in this case the government seeks to go much further and impose duties on these companies to “require” and “ensure” only lawful traffic traverses their networks. That is just craziness and I think a lot of carriers will fold up shop if they suddenly become strictly liable for misconduct on their networks. Indeed, just 8 years ago carriers were completely beyond liability for traffic on their network and now they are to be treated as always liable for it? That is unfair and absurd.

Obviously those of you in the debt relief game need to pay careful attention here as well. NO cheating allowed. If you make a representation it has to be true. And don’t charge that fee up front–can get you into trouble.

Notice also that NONE of these claims are brought under the TCPA. But some could have been. The TCPA also prevents the use of RVMs to to cell phones without the proper level of consent. And the TCPA bans solicitations to residential numbers on the DNC list. I presume the DOJ didn’t want to tangle with any additional issues here–or perhaps the FTC did not want to tread on the FCC’s toes by moving into TCPA issues. Unclear to me.

But what IS clear to me is that this complaint is a huge deal and should really have every carrier and platform out there asking itself what the future may hold…

Read the complaint here: Complaint Against Stratics, et al.

© 2023 Troutman Firm

SUPERBOWL CIPA SUNDAY: Does Samsung’s Website Chat Feature Violate CIPA?

Happy CIPA and Super Bowl Sunday TCPA World!

So, Samsung is under the spotlight with a new CIPA case brought by a self-proclaimed “tester.” You know like Rosa Parks?? Back to that in a bit.

The California Invasion of Privacy Act (“CIPA”) prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication. The Plaintiff’s bar is zoning in to CIPA with the Javier ruling.

If you recall, Javier found that “[T]hough written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’ Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. 2022).

Here, Plaintiff Garcia claims that Defendant both wiretaps the conversations of all website visitors and allows a third party to eavesdrop on the conversations in real time during transmission. Garcia v. Samsung Electronics America, Inc.

To enable the wiretapping, Plaintiff claims that Defendant has covertly embedded software code that functions as a device and contrivance into its website that automatically intercepts, records and creates transcripts of all conversations using the website chat feature.

To enable the eavesdropping, Defendant allows at least one independent third-party vendor to secretly intercept (during transmission and in real time), eavesdrop upon, and store transcripts of Defendant’s chat communications with unsuspecting website visitors – even when such conversations are private and deeply personal.

But Plaintiff currently proceeds in an individual action but if Samsung does not take appropriate steps to fully remedy the harm caused by its wrongful conduct, then Garcia will file an amended Complaint on behalf of a class of similarly aggrieved consumers.

Now back to Civil Rights.

According to this Complaint, Garcia is like Rosa Parks, you know, the civil rights activist. Why?

Well, because “Civil rights icon Rosa Parks was acting as a “tester” when she initiated the Montgomery Bus Boycott in 1955, as she voluntarily subjected herself to an illegal practice to obtain standing to challenge the practice in Court.”

Because Wiretapping and civil rights are similar right??

Disgusted.

The Plaintiff’s bar has no problem muddying the waters to appeal to the courts.

Do better.

CIPA is some dangerous stuff. Websites use chat features to engage with consumers all the time. It seems like it is easier to communicate via chat or text than to sit on a call waiting for an agent – assuming you get an agent. But maybe not?

Stay safe out there TCPA World!

Til next time Countess!! back to the game, GO EAGLES!!! #Phillyproud

© 2023 Troutman Firm

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

How Many Websites Now Have Cookie Banners?

A “cookie banner” refers to a pop-up notice on a website that discusses the site’s use of cookies. There is little standardization concerning how cookie banners are deployed. For example, websites can position them in different places on the screen (e.g., across the top of the screen, across the bottom of the screen, in a corner of the screen, or centered on the screen). Cookie banners also utilize different language to describe what cookies are and use different terms to describe options consumers may have in relation to the deployment of cookies. Some cookie banners require that a consumer interact with the banner (e.g., accept, cancel, or click out of) before the consumer can visit a website; other cookie banners are designed to disappear from view after several seconds.

As of October 2022, 45% of Fortune 500 websites were utilizing a cookie banner.[1] That represents an 11-point increase since 2021.[2]


[1] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprises companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.

[2] Greenberg Traurig LLP conducted a survey in December 2020 which showed that 34.2% of websites had cookie banners.

©2022 Greenberg Traurig, LLP. All rights reserved.

ANOTHER TRILLION DOLLAR CASE:? TikTok Hit in MASSIVE CIPA Suit Over Its Business Model of Profiting from Advertising by Collecting and Monetizing User Data

Data privacy lawsuits are EXPLODING and one of our country’s most popular mobile app — TikTok’s privacy issues keep piling up.

Following its recent $92 million class-action data privacy settlement for its alleged violation of Illinois Biometric Information Privacy Act (BIPA), TikTok is now facing a CIPA and Federal Wire Tap class action for collecting users’ data via its in-app browser without Plaintiff and class member’s consent.

The complaint alleges “[n]owhere in [Tik Tok’s] Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that installs JavaScipt code into the external websites that users visit from the TikTok app which then provides TikTok with a complete record of every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked. “

Despite being a free app, TikTok makes billions in revenue by collecting users’ data without their consent.

The world’s most valuable resource is no longer oil, but data.”

While we’ve discussed before, many companies do collect data for legitimate purposes with consent. However this new complaint alleges a very specific type of data collection practice without the TikTok user’s OR the third party website operator’s consent.

TikTok allegedly relies on selling digital advertising spots for income and the algorithm used to determine what advertisements to display on a user’s home page, utilizes tracking software to understand a users’ interest and habits. In order to drive this business, TikTok presents users with links to third-party websites in TikTok’s in-app browser without a user  (or the third party website operator) knowing this is occurring via TikTok’s in-app browser. The user’s keystrokes is simultaneously being intercepted and recorded.

Specifically, when a user attempts to access a website, by clicking a link while using the TikTok app, the website does not open via the default browser.  Instead, unbeknownst to the user, the link is opened inside the TikTok app, in [Tik Tok’s] in-app browser.  Thus, the user views the third-party website without leaving the TikTok app. “

The Tik-Tok in-app browser does not just track purchase information, it allegedly tracks detailed private and sensitive information – including information about  a person’s physical and mental health.

For example, health providers and pharmacies, such as Planned Parenthood, have a digital presence on TikTok, with videos that appear on users’ feeds.

Once a user clicks on this link, they are directed to Planned Parenthood’s main webpage via TikTok’s in-app browser. While the user is assured that his or her information is “privacy and anonymous,” TikTok is allegedly intercepting it and monetizing it to send targeted advertisements to the user – without the user’s or Planned Parenthood’s consent.

The complaint not only details out the global privacy concerns regarding TikTok’s privacy practices (including FTC investigations, outright ban preventing U.S. military from using it, TikTok’s BIPA lawsuit, and an uptick in privacy advocate concerns) it also specifically calls out the concerns around collecting reproductive health information after the demise of Roe v. Wade this year:

TikTok’s acquisition of this sensitive information is especially concerning given the Supreme Court’s recent reversal of Roe v. Wade and the subsequent criminalization of abortion in several states.  Almost immediately after the precedent-overturning decision was issued, anxieties arose regarding data privacy in the context of commonly used period and ovulation tracking apps.  The potential of governments to acquire digital data to support prosecution cases for abortions was quickly flagged as a well-founded concern.”

Esh. The allegations are alarming and the 76 page complaint can be read here: TikTok.

In any event, the class is alleged as:

“Nationwide Class: All natural persons in the United State whose used the TikTok app to visit websites external to the app, via the in-app browser.

California Subclass: All natural persons residing in California whose used the TikTok app to visit websites external to the app, via the in-app browser.”

The complaint alleges California law applies to all class members – like the Meta CIPA complaint we will have to wait and see how a nationwide class can be brought related to a CA statute.

On the CIPA claim, the Plaintiff – Austin Recht – seeks an unspecific amount of damages for the class but the demand is $5,000 per violation or 3x the amount of damages sustained by Plaintiff and the class in an amount to be proven at trial.

We’ll obviously continue to keep an eye out on this.

Article By Puja J. Amin of Troutman Firm

For more communications and media legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

ADA Compliance for Law Firm Websites in 2022

Legal reasoning involves applying the law to the facts to determine the rights and duties of those involved in a situation. Lawyers frequently take the position that the application of rules should settle disputes and that policies will be considered, if at all, only when there is a high degree of uncertainty surrounding the applicability of the rule. The lawyer might take the position that it is always preferable to seek the result that would further the underlying policies, even if that result would be contrary to the clear language of the rules.

But what if no explicit rules currently exist?

That is the issue with website compliance under the Americans with Disabilities Act (ADA). The Act does not offer specific guidelines to follow; however, websites are expected to be easily accessible to everyone, including those who are disabled. The failure to create an ADA-compliant website could expose an organization to discrimination lawsuits, financial liabilities, and severe damage to its reputation.

What is the ADA?

The ADA compels certain businesses, including banks, hotels, restaurants, public transit, law firms, and others to make accommodations for people with disabilities. According to the National Law Review, the Act is divided into three parts:

  • Title I prohibits employers from discriminating against employees based on disability and requires them to provide reasonable accommodation to certain employees under specific circumstances.
  • Title II covers state and local governments.
  • Title III covers “places of public accommodation,” which the ADA does not define, but are generally private businesses or organizations that provide goods, services, facilities, privileges, or accommodations to the public. These places commonly include schools, restaurants, health care providers, social service agencies, law firms, and more.

The ADA is commonly associated with physical locations and the accommodations that certain businesses must make for people with disabilities, which include wheelchair accessibility, reserved parking, and service animals. Companies that fall under ADA Title I and operate 20 or more weeks per year with at least 15 full-time employees, or Title III – those that fall under the category of public accommodation – must be ADA-compliant.

Although physical “brick-and-mortar” locations are nearly always considered places of public accommodation, the debate is ongoing as to whether a business’s website is a place of accommodation. If so, the digital content must be accessible to all users.

A law firm website must be designed so that those who are disabled can access it easily to comply with ADA requirements. While there are no well-defined regulations that describe precisely what an ADA-compliant website should include, businesses that fall under ADA Title I or ADA Title III are required to develop a website that offers “reasonable accessibility” to people with disabilities.

Compliance Tools & Plugins

Because the ADA doesn’t offer specific guidelines for website compliance, many organizations follow the Web Content Accessibility Guidelines 2.0 (WCAG), updated to 2.1 in 2018. While WCAG isn’t a legal requirement, its requirements have been followed in the European Union and other nations since 1999 and still serves as a reference for businesses that want to improve accessibility to their website.

Under WCAG 2.1, website accessibility concerns generally fall into four groups. These include issues that are:

  • Perceivable – issues that affect users’ ability to locate and process the information on a website, e.g., many visually-impaired individuals use screen readers to distinguish between the text and the background to help them navigate online content.
  • Operable – challenges that impair users’ ability to navigate a site, e.g., functions and navigations such as online forms should be accessible via keyboard-only commands, and users who need additional time to complete them should be allowed to do so.
  • Understandable – users should be able to comprehend the information on the site, e.g., error messages that provide an explanation and directions for correcting an error should be offered.
  • Robust – can be interpreted by various devices and platforms according to the varying needs and abilities of users, e.g., the alt text that should pop up to let users know what it is when read by assistive technology when they hover over an image.

Here are more suggestions regarding what to include to help ensure ADA website compliance:

  • “Alt” tags for every media file and map
  • Descriptive HTML tags for online forms
  • Hyperlinks with descriptive anchor text
  • “Skip navigation” links on all website pages
  • Heading tags to organize text
  • Accessible PDF files
  • Subtitles, transcripts, and audio descriptions for videos
  • Accessible fonts for all applications
  • HTML tables with column headers, row IDs, and cell information
  • Captions written in English for audio files
  • Call-to-action buttons with easily accessible names and ARIA labels
  • A website accessibility policy
  • Easy to find contact information

Meeting these guidelines will make a firm’s website more accessible to those with vision or hearing impairments, as well as cognitive, language, or learning disabilities.

Court Rulings Regarding Website ADA Compliance

According to the American Bar Association (ABA), the number of accessibility-related lawsuits filed against websites has increased dramatically in recent years. Plaintiffs are basing these lawsuits on two legal theories:

  1. Title IIIs “equal access and general nondiscrimination mandate
  2. A requirement that places of public accommodation must provide auxiliary aids and services as necessary (for no extra charge)

Although neither Title III nor its regulations mention websites and mobile applications, the phase “auxiliary aids and services” includes “accessible electronic and information technology,” which covers websites and mobile apps.

ADA Title III Lawsuits Filed Each Year Graph
Image by Seyfarth via adatitleiii.com

A recent ABA analysis of court filings related to ADA website compliance found:

  • Federal courts across the country were inundated with more than 8,000 website accessibility lawsuits between 2017 and 2020.
  • In 2020, three states – New York, Florida, and California – brought more than 85 percent of all the ADA website compliance lawsuits.
  • Since 2018, website and mobile app accessibility disputes have accounted for approximately 20 percent of all ADA Title III cases initiated in federal courts, which now regularly exceed 10,000 suits each year.

These statistics do not consider a significant number of website and mobile app cases pursued in state courts, cases settled before filing in court, and DOJ enforcement proceedings that are resolved prior to court filing.

Here are some examples of court rulings related to ADA compliance and websites:

Gil v. Winn-Dixie Stores Inc.

In June 2107, a Florida court ruled in favor of a blind plaintiff who brought an ADA violation lawsuit against Winn-Dixie. The man claimed that aspects of the supermarket chain’s site weren’t compatible with screen readers, leaving him unable to order his medications online or download rewards cards. The trial court agreed that the website was inaccessible to those with impaired vision and ordered that it be brought into compliance with the WCAG 2.0 Level AA.

Although Winn-Dixie complied with the court order, in April 2021, the Eleventh Circuit Court of Appeals overturned the trial court’s decision, finding that Winn-Dixie was not in violation of the ADA because it did not need accessibility aids to conduct business. After that, however, Winn-Dixie posted an accessibility statement on its website that commits to adhere to WCAG 2.0 AA by using testers from the disability community to check the accessibility of their website periodically.

Robles v. Domino’s Pizza

Domino’s Pizza lost a website accessibility lawsuit in 2019 after years of exhaustive litigation when a federal district court in California granted the plaintiff’s motion for summary judgment after it determined that the website was indeed not fully accessible. The court ordered Domino’s to make its website compliant with the WCAG 2.0 to connect customers to the goods and services of Domino’s physical restaurants.

The court held that the ADA applied to Domino’s website and app because the Act requires places of public accommodation, like Domino’s, to offer auxiliary aids and services to make visual materials available to blind individuals. Although customers primarily access the Domino’s website and app outside its physical restaurants, the court found that the Act pertains to the services of public accommodation, not services in a place of public accommodation.

Andrews v. Blick Art Materials

In 2017, Victor Andrews, who is blind, filed a lawsuit against Blick Art Materials for website inaccessibility. Andrews alleged that because Blick’s website was inaccessible, he could not navigate and purchase items on the defendant’s website independently. When Blick made a motion to dismiss the lawsuit, Judge Jack Weisenstein denied it and made this statement:

Today, internet technology enables individuals to participate actively in their community and engage in commerce from the comfort and convenience of their home. It would be a cruel irony to adopt the interpretation of the ADA espoused by Blick, which would render the legislation intended to emancipate the disabled from the bonds of isolation and segregation obsolete when its objective is increasingly within reach.

The ruling in this case and others illustrates that businesses need to consider their websites equivalent to a place of public accommodation, which puts them at risk of being sued, even without explicit web accessibility regulations.

Latest DOJ Guidelines

In 2010, the Department of Justice (DOJ) launched a rulemaking process to address ADA requirements for website accessibility, including technical standards for accessible websites. However, that effort stalled for seven years during the Obama administration (even though the administration continued to pursue investigations and enforcement actions against businesses with inaccessible websites).

The Trump administration abandoned the process to interpret the ADA entirely in 2017. In 2018, the DOJ revealed that it would not give official guidance regarding website accessibility under the Act, releasing this statement:

The Department is evaluating whether promulgating regulations about the accessibility of Web information and services is necessary and appropriate. Such an evaluation will be informed by additional review of data and further analysis. The Department will continue to assess whether specific technical standards are necessary and appropriate to assist covered entities with complying with the ADA.

Since the DOJ’s withdrawal, the number of lawsuits involving website accessibility increased dramatically, raising awareness regarding website accessibility among businesses but also causing confusion surrounding what features an ADA-compliant website should include. As a result, numerous website accessibility consulting companies emerged promising inexpensive solutions. However, some have been challenged in court.

In June 2018, some bipartisan members of the U.S. House of Representatives sent a letter to Attorney General Jeff Sessions encouraging the DOJ to release clear website accessibility regulations to diminish the unclear nature of current legislation. On September 25, 2018, the DOJ responded by stating that, at this time, the DOJ would not be issuing web accessibility regulations under the ADA: “The Department has consistently taken the position that the absence of a specific regulation does not serve as a basis for noncompliance with a statute’s requirements.”

In March 2022, the DOJ issued further web accessibility guidance under the ADA. The “new” guidance references both the WCAG – which are voluntary – and Section 508 standards, which set standards for federal websites, and indicates that the DOJ supports the notion that sites of public accommodation must be accessible, and in the absence of explicit regulations, websites can be flexible in how they choose to comply with the ADA’s requirements. However, the guidance does not clarify what such flexibility or choice entails and– not necessarily the direction regulation-seekers are looking for, since it provides no substantially new information regarding the vagueness of website accessibility requirements under the ADA.

Final Thoughts

As accessibility regulations for websites remain unclear, it can be easy for organizations to assume that they cannot be sued for noncompliance. However, with no specific standards to follow, law firms and other businesses must do their best to interpret the ADA, practice website accessibility as they see fit, and try to avoid website accessibility-related lawsuits.

One more thing to consider: ambiguity runs both ways, and even though an organization might think its website is accessible, a disabled person might think otherwise, providing the grounds for a lawsuit. Organizations aren’t granted immunity simply because of a lack of clarity in legislation. Instead, uncertainty allows for interpretation by anyone, including the courts.

This article was authored by Jan Hill of Lawmatics.

For more business of law legal news, click here to visit the National Law Review.

©2022 — Lawmatics

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

© Copyright 2022 Squire Patton Boggs (US) LLP