Category: Communication Media & Internet

What’s New in 5G – February 2023

The next-generation of wireless technologies – known as 5G – is expected to revolutionize business and consumer connectivity, offering network speeds that are up to 100 times faster than 4G LTE, reducing latency to nearly zero, and allowing networks to handle 100 times the number of connected devices, enabling the “Internet of Things.”  Leading policymakers – federal regulators and legislators – are making it a top priority to ensure that the wireless industry has the tools it needs to maintain U.S. leadership in commercial 5G deployments.  This blog provides monthly updates on FCC actions and Congressional efforts to win the race to 5G.

Regulatory Actions and Initiatives

Spectrum

  • The FCC grants relief to a 600 MHz licensee serving Tribal Nations, giving it more time to complete and deploy its wireless network.

    • On January 4, 2023, the FCC’s Wireless Telecommunications Bureau (“WTB”) released an Order granting a third request by Pine Cellular Phones, Inc. (“Pine Cellular”) to extend its construction deadline for one of its 600 MHz licenses by one year from January 9, 2023 to January 9, 2024.  In 2019, Pine Cellular was a winning bidder in the Broadcast Incentive Auction (Auction No. 1002) of two 600 MHz licenses.  After the licenses were awarded, the FCC prohibited the use of funding from the Universal Service Fund for equipment and services deemed to pose a national security risk.  Pine Cellular planned to rely on that now-prohibited equipment to meet its construction requirement, but it has since been unable to acquire and install compliant equipment due, in part, to global supply chain issues.  The WTB granted Pine Cellular’s request because it recognized that the only way for Pine Cellular to fulfill its construction requirement is to remove and replace all prohibited equipment in its network and that termination of the license would not facilitate the provision of wireless broadband service, particularly to the Choctaw Nation, which is covered by Pine Cellular’s license.

  • The FCC grants additional licenses for spectrum in the 2.5 GHz band for commercial wireless services.

    • The WTB released a Public Notice on January 5, 2023, announcing the grant of four additional licenses for spectrum in the 2.5 GHz band, the auction for which concluded on August 29, 2022.  A list of the licenses, sorted by licensee, is available here.  And list of the same licenses, sorted by market, is available here.

  • The FCC takes further action to enable commercial operations through spectrum sharing in the 3.5 GHz band.

    • On January 10, 2023, the WTB and Office of Engineering and Technology (“OET”) released a Public Notice approving the new Environmental Sensing Capability (“ESC”) sensor deployment and coverage plans of Federated Wireless in the 3.5 GHz band.  Federated Wireless is now authorized to operate its ESC sensors to protect federal incumbents in Alaska and must, among other things, operate in conjunction with at least one Spectrum Access System (“SAS”), which manages non-federal access to the 3.5 GHz band, that has been approved for commercial deployment.

    • In addition, the WTB and OET released a Public Notice on January 12, 2023, certifying that the SAS operated by RED Technologies SAS (“RED”) has satisfied the FCC’s testing requirements and been approved to begin its initial commercial deployment (“ICD”), subject to certain conditions.  After RED operates its ICD, it is required to submit a report, and assuming that the report is satisfactory, RED will then receive authorization to operate for a five-year term.

  • The FCC revises its framework for making public safety spectrum in the 4.9 GHz band available for commercial wireless services.

    • On January 18, 2023, the FCC released an Order and Further Notice of Proposed Rulemaking establishing rules that provide for a nationwide Band Manager for public safety operations in the 4940-4990 MHz (“4.9 GHz”) band.  The Order replaces the previous framework for the 4.9 GHz band, which allowed states to lease the spectrum to third parties, including commercial entities, through a designated statewide lessor.  The new framework will allow the Band Manager to coordinate all use of the spectrum nationwide, including by making it available for secondary, non-public safety use – such as commercial 5G wireless services – by allowing non-public safety entities to lease unused 4.9 GHz band spectrum.  The Further Notice seeks comment on implementing the new leasing framework and selecting the Band Manager.  Comments and reply comments on the Further Notice will be due 30 days and 60 days, respectively, after publication in the Federal Register.

Other Agency Actions

  • The Federal Aviation Administration proposes requirements to help foster coexistence between 5G operations in the C-band and aircraft relying on radio altimeters.

    • On January 22, 2023, a Notice of Proposed Rulemaking issued by the Federal Aviation Administration (“FAA”) was published in the Federal Register.  The Notice proposes to update the FAA’s existing Airworthiness Directive (“AD”) regarding the coexistence of licensees of spectrum in the 3.7-4.2 GHz band (“C-band”) and radio altimeters.  Specifically, the FAA proposes interference tolerance requirements for radio altimeters and requirements that all aircraft operating under its rules meet power spectral density requirements to operate in the contiguous U.S. after February 2, 2024.  The FAA has determined that radio altimeter tolerant airplanes will not experience unsafe conditions at any airport identified by the FAA as a 5G market.  It has also determined that any 5G C-band provider that maintains the mitigated actions, which are based on the power levels to which Verizon and AT&T previously agreed, will not have an effect on the safety of transport and commuter airplanes with radio altimeters that meet the interference tolerance requirements.  The FAA will assess changes in the agreed-upon power levels.  Comments on the FAA’s proposals are due February 10, 2023.

  • The Department of Defense seeks comment on developing a spectrum roadmap.

    • On January 4, 2023, the Department of Defense (“DoD”) released a Request for Information seeking input to support the development of a Next-Generation Electromagnetic Spectrum Strategic Roadmap, which Congress requested of DoD in a June 2022 letter.  Among other things, DoD requests input on its ability to use commercial systems for its operations and spectrum sharing.  The deadline for providing input is February 10, 2023 at 2:00 pm ET.

5G Networks and Equipment

  • The FCC reminds rip-and-replace funding recipients of their reporting obligations.

    • On January 11, 2023, the FCC’s Wireline Competition Bureau released a Public Notice reminding parties that receive funding from the FCC’s Reimbursement Program to remove and replace equipment that poses a national security risk of their obligation to file their Reimbursement Program spending reports.  The spending reports, which, among other things, must include a detailed accounting of the covered equipment and services that have been removed and replaced, are due by February 10, 2023.

Article By Angela Y. Kung and Christen B’anca Glenn of Mintz

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©1994-2023 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

NIST Releases New Framework for Managing AI and Promoting Trustworthy and Responsible Use and Development

On January 26, 2023, the National Institute of Standards and Technology (“NIST”) released the Artificial Intelligence Risk Management Framework (“AI RMF 1.0”), which provides a set of guidelines for organizations that design, develop, deploy or use AI to manage its many risks and promote trustworthy and responsible use and development of AI systems.

The AI RMF 1.0 provides guidance as to how organizations may evaluate AI risks (e.g., intellectual property, bias, privacy and cybersecurity) and trustworthiness. The AI RMF 1.0 outlines the characteristics of trustworthy AI systems, which are valid, reliable, safe, secure, resilient, accountable, transparent, explainable, interpretable, privacy enhanced and fair with their harmful biases managed. It also describes four high-level functions, with associated actions and outcomes to help organizations better understand and manage AI:

  • The Govern function addresses evaluation of AI technologies’ policies, processes and procedures, including their compliance with legal and regulatory requirements and transparent and trustworthy implementation.
  • The Map function provides context for organizations to frame risks relating to AI systems, including AI system impacts and interdependencies.
  • The Measure function uses quantitative, qualitative or mixed-method tools, techniques and methodologies to analyze, benchmark and monitor AI risk and related impacts, including tracking metrics to determine trustworthy characteristics, social impact and human-AI configurations.
  • The Manage function entails allocating risk resources to mapped and measured risks consistent with the Govern function. The Manage function includes determining how to treat risks and develop plans to respond to, recover from and communicate about incidents and events.

NIST released a draft AI Risk Management Framework Playbook to accompany the AI RMF 1.0. NIST plans to release an updated version of the Playbook in the Spring of 2023 and launch a new Trustworthy and Responsible AI Resource Center to help organizations put AI RMF 1.0 into practice. NIST has also provided a Roadmap of its priorities to advance the AI RMF.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.
For more Technology Legal News, click here to visit the National Law Review.

University of Texas at Austin Permanently Blocks TikTok on Network

On Tuesday, January 17, 2023, the University of Texas at Austin announced that it has blocked TikTok access across the university’s networks. According to the announcement to its users, “You are no longer able to access TikTok on any device if you are connected to the university via its wired or WIFI networks.” The measure was in response to Governor Greg Abbott’s December 7, 2022, directive to all state agencies to eliminate TikTok from state networks. Following the directive, the University removed TikTok from university-issued devices, including cell phones, laptops and work stations.

Copyright © 2023 Robinson & Cole LLP. All rights reserved.

For  more Cybersecurity Legal News, click here to visit the National Law Review.

Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

Article By Ericka A. Johnson and Julia B. Jacobson of Squire Patton Boggs (US) LLP

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

© Copyright 2023 Squire Patton Boggs (US) LLP

The Scope of Attorney-Client Privilege Over Dual-Purpose Communications

The Supreme Court will evaluate the scope of attorney-client privilege when applied to communications shared between counsel and client that involve both legal and non-legal advice (“dual-purpose communications”). The decision of the highest court will have long-lasting implications for both business organizations and their retained counsels. The potential outcome of this case cannot be understated.

In this matter, the grand jury issued subpoenas to an anonymous law firm seeking documents related to the government’s investigation of the firm’s client. The law firm had provided both legal and business services to the client by advising on tax-related legal issues and preparing the client’s annual tax returns. When the law firm and client (“Petitioners”) withheld certain correspondence on the grounds that they were protected by attorney-client privilege and the work-product doctrine, the government moved to compel the production of those documents. The district court held that, while the correspondence contained a “dual-purpose,” they were not protected by attorney-client privilege because the primary purpose of the correspondence was to obtain business tax advice and not legal advice.

On appeal, Petitioners argued that the appellate court should apply the “because of” test rather than the “primary purpose” test. The “because of” test asks whether the dual-purpose correspondence was made because of a need for legal advice. The application of this test would expand the scope of attorney-client privilege and protect the correspondence at issue. The Ninth Circuit Court of Appeals, however, rejected Petitioners’ argument and affirmed the district court’s decision. Petitioners appealed the Ninth Circuit’s decision, and the Supreme Court granted certiorari on October 3, 2022.

The Supreme Court’s decision in In re Grand Jury 21-1397 will be of particular significance for in-house counsels who regularly provide both business and legal advice to their employers. For outside counsels, the outcome of this case will shed light on the standard to be applied for asserting privilege over dual-purpose communications. Oral argument occurred on January 9, 2023 at the Supreme Court.

For more litigation news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California

IP Rights in Virtual Fashion: Lessons Learned in 2022 and Unanswered Questions

There was a lot of talk and much hype about the “metaverse” in 2022. While some were skeptical and stayed on the sidelines to watch, many companies began offering virtual counterparts to their real-world products for use by avatars in the metaverse, including virtual clothing and accessories. For example, Tommy Hilfiger live-streamed a virtual fashion show on Roblox as part of the New York Fashion Week, and Decentraland hosted a Metaverse Fashion Week. Many companies also introduced NFTs into fashion product lines, such as Alo’s NFT offering.

The emergence of virtual goods has generated novel questions about how to protect and enforce IP rights in virtual fashion, and how those strategies might differ from IRL (meaning “in real life”) fashion. Although many questions remain unanswered, this article sets out important considerations for how companies might use various IP laws to protect virtual fashion goods in the United States.

I. DISTINCTIONS BETWEEN VIRTUAL FASHION AND IRL FASHION

Before diving into the IP discussion, it’s worth highlighting some distinctions between virtual fashion and IRL fashion outside the legal context, beyond the obvious fact that virtual fashion is worn by avatars. IRL clothing and accessories are worn primarily for protection against the elements, to conform to societal standards, to conform with a specific event’s dress requirements, to communicate via express messages on clothing or accessories, or to express oneself through the style or design of the clothing.

Virtual fashion can also serve each of those purposes for an avatar, and in some cases the person behind the avatar. But, because it is comprised of software code, the possibilities for virtual fashion utility are endless. For example, a particular piece of virtual clothing can also grant access to certain virtual spaces or events or give the avatar special powers within virtual worlds. If tied to an NFT (non-fungible token), virtual clothing can also provide benefits on and off virtual platforms, including exclusive access to sales promotions and IRL events.

Unlike IRL clothing, however, virtual fashion items currently face compatibility limitations, as the ability to use any virtual fashion item across all virtual platforms is unlikely.

To muddy the waters, as virtual and augmented reality technologies are becoming more popular, they can blur the lines between IRL and virtual fashion. For example, an IRL sweatshirt, when viewed through an appropriate lens, could feature virtual components.

II. IP PROTECTION FOR VIRTUAL FASHION

Because there are no IP laws specific to virtual fashion items, we must seek protection from laws that have traditionally applied to real-life clothing, namely, trademark, trade dress, copyright, and design patent. But the application of these laws can sometimes differ in the virtual context. Each is addressed below.

A. TRADEMARK

Trademark law protects source identifiers such as words, names, logos, and slogans. Obtaining trademark rights specifically in virtual goods, whether acquired through use in commerce or federal registration, is generally straightforward and similar to marks covering IRL fashion. This is evidenced by many marks that were registered in 2022 and specifically cover virtual goods.

That said, even if a company does not have trademark coverage specifically for its virtual goods, the owner of a trademark covering IRL fashion items should have strong arguments that such trademark rights extend to their virtual counterparts. To that point, the U.S. Patent & Trademark Office (USPTO) has refused registration of marks covering virtual goods and services based on prior registrations for the identical marks covering the corresponding IRL goods and services. See, e.g., the refusals of Application No. 97112038 for the mark GUCCI and Application No. 97112054 for the mark PRADA, each of which were filed by parties unrelated to the famous brands.

However, for purposes of enforcement outside of the USPTO context, if a defendant’s goods are virtual, it would have a stronger argument that such goods are not commercial products, but rather expressive works protected by the First Amendment. If a court accepts such an argument, it must then weigh the plaintiff’s trademark rights against the defendant’s First Amendment right of free expression, meaning it would be more challenging for a brand owner to enforce its trademark rights.

In this regard, please see our earlier alert regarding the Hermès v. Rothschild case, in which the court deemed NFTs tied to images of bags called “MetaBirkins” subject to First Amendment protection. [1] In denying Rothschild’s motion to dismiss, the court acknowledged in a footnote that virtually wearable bags (i.e., as opposed to virtual fashion that is displayable but not wearable) might not be afforded First Amendment protection. But we suspect defendants will argue even virtually wearable items should be afforded First Amendment protection, especially given that video games have received such protection. [2]

On balance, companies should consider seeking federal trademark registration specifically for virtual goods and services, for a few reasons:

More direct coverage could help a company in an enforcement action against infringing virtual goods, even if the defendant successfully argues it should be entitled to First Amendment protection. For instance, if the plaintiff has direct coverage for virtual goods, it may be easier to prove the defendant’s use of the mark was “explicitly misleading” under the Rogers test. [3]

Certain platforms featuring virtual fashion items may only honor a takedown request if the complainant company has a federal registration covering goods that are the same or nearly identical to the allegedly infringing virtual goods.

The registration will provide a presumption of valid trademark rights nationwide, and it may serve as a deterrent to third parties wishing to use confusingly similar marks in virtual worlds.

B. TRADE DRESS

U.S. trademark law also protects certain source-identifying elements of a product’s aesthetic design, configuration/shape, and packaging, often referred to as “trade dress.” To obtain trade dress protection, such elements must be (1) non-functional and (2) distinctive (either inherently or acquired through use). There are a couple of interesting nuances with respect to acquiring trade dress protection in the virtual context.

First, although we have not yet seen any case law specifically addressing this, companies will likely have stronger arguments that virtual shape or design elements (as opposed to IRL elements) are non-functional. Specifically, the non-functionality requirement means the relevant elements must not be essential to the use or purpose or affect the cost or quality of the article. For real-life fashion items, this can be difficult to meet due to the inherently functional nature of many aspects of clothing or accessories. However, because virtual fashion items are essentially software code with endless possibilities, in many instances the fashion item will not require any particular design or shape to function.

Second, some virtual fashion items could receive more favorable treatment from a distinctiveness perspective. The distinctiveness requirement has historically been a difficult barrier for protecting IRL fashion. Specifically, case law prior to 2022 established that, while packaging can sometimes be inherently distinctive, product design and configuration/shape can never be, meaning companies must prove such elements have acquired distinctiveness. Proving acquired distinctiveness is burdensome because the company must have used the elements extensively, substantially exclusively, and continuously for a period of time. Often, by the time a company can acquire distinctiveness in the design, the design is no longer in style. Or, if a design is popular and copied by third parties, it can be difficult for the company to claim it used the design substantially exclusively.

If, however, a virtual fashion item provides the user with benefits that go beyond merely outfitting the avatar, such as by providing access to other products or services, one might argue that those items should be construed as packaging, or some new category of trade dress, for such other products or services, in which case the elements could possibly be deemed inherently distinctive with respect to those other products or services.

That said, if a company already has trade dress protection for IRL fashion goods, it should have good arguments that the protection extends to any virtual counterpart. On the flipside, given the difficulties companies typically face in seeking trade dress protection in IRL fashion, to the extent they can obtain trade dress protection in a virtual counterpart more easily, perhaps it can argue the rights in any virtual goods should also extend to the physical counterpart. Or, if a company introduces a physical design and virtual design simultaneously, it could possibly acquire distinctiveness in both sooner, as the simultaneous use would presumably create greater exposure to more customers and reinforce the source-identifying significance of the alleged elements.

With respect to enforcement, like traditional marks, defendants are more likely to raise a successful First Amendment defense for any virtual products allegedly infringing trade dress. The Hermès case is again an example of this, as Hermès alleged infringement of both its BIRKIN word mark and the trade dress rights in the design of its handbags, and the court held that the defendant’s MetaBirkin NFTs were entitled to the First Amendment protection.

Finally, although obtaining trade dress protection is typically more difficult than obtaining trademark protection for traditional marks such as words and logos, companies should also consider seeking registration for trade dress in virtual goods, particularly for important designs that are likely to carry over from season to season, for the same reasons discussed in the trademark section above.

C. COPYRIGHT

Copyright protects original works of authorship that contain at least a modicum of creativity, which is a relatively low bar. However, copyright does not protect useful articles. In effect, for IRL fashion items, copyright generally extends only to those designs that would be entitled to copyright protection if they were extracted or removed from the clothing or viewed on a different medium, and not to the shape of the fashion item itself.

Like trade dress protection, copyright protection should provide companies with greater protection for virtual fashion items than would be available for IRL items, particularly because the software behind the virtual fashion can theoretically create an infinite number of clothing shapes that are creative and not necessarily “useful.” Nonetheless, if a virtual clothing item is merely shaped like its IRL counterpart that lacks originality (e.g., a virtual t-shirt shaped like a basic real-life t-shirt), it may also fail to qualify for copyright protection based on a lack of creativity.

Unlike trade dress protection, however, copyright protection arises immediately upon creation of the work and its fixation in a tangible medium of expression, so it can be a useful tool for protecting virtual fashion without having to spend the time and resources required to seek registration as trade dress and establish acquired distinctiveness.

In addition, unlike IRL fashion, a separate copyright protects the underlying source code for virtual clothing items, which could provide owners with an additional, though likely limited, claim against unauthorized source code copycats.

A copyright registration will provide owners with the ability to sue for copyright infringement, but companies should balance:

  • the benefits of seeking potentially broader copyright protection in virtual fashion items (apart from the code) than it would for IRL items with the risks of conceding that virtual fashion items are works of art entitled to First Amendment protection, which would make trademark and trade dress enforcement more difficult; and
  • the benefits of obtaining any copyright registration for source code with the benefits of keeping the source code secret (although the Copyright Office permits some redactions, significant portions are required to be deposited into the public record).

We are unaware of any 2022 case law specifically addressing copyright in virtual fashion. However, the following cases are worth watching:

  • Andy Warhol Found. for Visual Arts, Inc. v. Goldsmith[4]: In October 2022, the U.S. Supreme Court heard arguments regarding whether Andy Warhol’s “Prince Series” silk screen prints and pencil drawings based on a photograph infringed the photographer’s copyright, or whether they were sufficiently “transformative” to constitute fair use. The outcome of this case could affect a copyright owner’s ability to enforce copyrights against unauthorized digital reproductions of its work, especially if the original work is fixed in a physical medium (e.g., enforcing copyright in a physical clothing item against a third party’s digital reproduction).
  • Thaler v. Perlmutter[5]: Filed in June 2022, the plaintiff is suing the U.S. Copyright Office for refusing registration of an AI-created image because there was no human author. The outcome of this case will necessarily implicate virtual fashion incorporating any AI-generated work.

D. DESIGN PATENT

Design patents protect the ornamental appearance or look of a unique product. Specifically, they protect any new, original, and ornamental design for an article of manufacture. Traditionally, this law was interpreted to require that the article of manufacture is a physical or tangible product. Thus, in the fashion industry for example, one can file a design patent application directed to a unique shoe, handbag, or jewelry design. Historically, an image or picture would not qualify for design patent protection.

However, the USPTO is currently assessing design patents with respect to new technologies such as projections, holograms, and virtual and augmented reality. In December 2020, the USPTO issued a request for public comment regarding a potential rule change to the “article of manufacture” requirement and whether U.S. law should be revised to protect digital designs. Public opinion was mixed, and in April 2022, the USPTO issued a summary of this requested information.

Although the USPTO has not yet formally revised the rules, it has issued guidelines over the years that provide examples of non-physical products that could be protected by a design patent, suggesting changes may ultimately be coming to U.S. design patent law. For example, in 1995, the USPTO released guidelines for design patent applications claiming computer-generated icons. In general, to be eligible for protection, the computer-generated icon must be embodied in a computer screen monitor, or other display monitor. The USPTO has also issued guidance allowing type font to be protectable by design patents. However, it is still unclear whether the USPTO will set forth design patent guidance specific to digital designs or virtual fashion.

Notwithstanding the possibility of obtaining a design patent specifically on such virtual goods, courts have been reluctant to find that a virtual product infringes the design patent for an IRL product. For example, in 2014, in P.S. Products, Inc. v. Activision Blizzard, Inc.,[6] P.S. Products accused Activision of infringing its design patent directed to a stun gun by depicting a virtual weapon in its video game that P.S. Products claimed resembled its patent-protected IRL product.

The court found there was no infringement because “no ordinary observer would be deceived into purchasing a video game believing it to be plaintiffs’ patented stun gun.” This case may have come out differently if the virtual gun was sold separately from the video game and could be used across various platforms rather than being one component of a particular video game. Although there are still software compatibility restrictions for virtual goods, portability of virtual goods is likely to grow as technology evolves and companies respond to consumer demands.

While we wait for further USPTO guidance that ultimately may have application to virtual fashion, parties seeking design patent protection may consider simultaneously filing one application to protect the work as a digital design on a display screen, like a patentable computer-generated icon, and a second, traditional design patent application to protect the design as a tangible product. That said, companies should consider other options for protecting any designs created by AI, as the Federal Circuit Court of Appeals held in 2022 that AI cannot qualify as an inventor for purposes of obtaining a patent.[7]

III. Virtual Fashion in Practice

Contracts relating to virtual fashion are analogous to contracts for IRL fashion and should be structured accordingly. For instance, companies should ensure that contracts with IP contributors include an assignment of all IP rights, or at least a sufficiently broad license. In the virtual context, this includes rights to the software code itself. Likewise, downstream licensing should generally address ownership, licensee rights, and if applicable, confidentiality for any trade secrets in the source code. In addition, for both IP contributors and licensees, if AI software is used in any part of the creative process, companies should give thought to allocation of ownership.

In addition, some designers or marketing teams may prefer to encourage a brand’s customer base to copy its designs or create derivative works. Although this seems counterintuitive (especially to an IP lawyer), many players in the Web3 space encourage others to build off their own designs. For example, the Bored Ape Yacht Club (BAYC), known for issuing NFTs tied to images of apes, grants owners of its NFTs the rights to use the images of apes, including for commercial purposes.[8] For example, one purchaser of a Bored Apt NFT created a Bored Ape-themed restaurant.

In the virtual fashion context, if a marketing team wants customers to build off the brand’s virtual designs but wants to retain ownership of its own designs (and perhaps derivatives), it should implement standard licensing terms relating to ownership, customer licensee rights, and other provisions. However, it’s important to consider how the terms are presented and how customers indicate assent to maximize the prospects of enforceability.

From a business perspective, companies can also now use NFTs and smart contracts to receive automatic royalties in any downstream sales or licenses. And because NFTs use blockchain technology, which provides an immutable chain of title, third parties will be able to trace such designs to the original source. This means companies can encourage the sharing of designs and receive royalties in connection with the downstream licensing of designs tied to NFTs, and third parties can confirm that the designs are legitimate by reviewing the relevant blockchain ledger. Accordingly, although encouraging customers to use the brand’s designs may not be a model for every brand, there are some steps brands can take to protect the IP rights associated with them and reap financial benefits.

As virtual fashion items become more popular, companies are faced with uncertainties and novel questions regarding how to protect and enforce their IP rights. In 2022, some questions were answered, but many more remain open. Therefore, it is important to discuss strategies for protecting innovative virtual fashion with IP counsel.

FOOTNOTES

[1] Notably, on December 30, 2022, the Hermès court denied both parties’ motions for summary judgment, with an opinion to follow by January 20. A jury trial is scheduled to begin on January 30, 2023. Hermès International, et al. v. Mason Rothschild, 1:22-cv-00384-JSR (S.D.N.Y.).

[2] See, e.g., AM Gen. LLC v. Activision Blizzard, Inc., 450 F. Supp. 3d 467, 485 (S.D.N.Y. 2020).

[3] If a defendant’s unauthorized use of a mark is protected by the First Amendment, many courts use the Rogers test to balance the plaintiff’s trademark rights with the defendant’s First Amendment right of expression. This test looks at whether the defendant’s use of the plaintiff’s mark was artistically relevant and, if so, whether it was explicitly misleading. Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989).

[4] 11 F.4th 26 (2d Cir. 2021), cert. granted, 142 S. Ct. 1412 (2022).

[5] Case No. 1:22-cv-01564 (D.D.C.).

[6] 140 F. Supp. 3d 795, 802 (E.D. Ark. 2014).

[7] Thaler v. Vidal, 43 F.4th 1207, 1213 (Fed. Cir. 2022).

[8] We will save for another day a discussion of the recent lawsuit against BAYC and many celebrities for failing to disclose financial incentives when promoting the BAYC NFT collection, and instead focus here on IP protection. Adonis Real, et al., v. Yuga Labs, Inc., et al., 2:22-cv-08909 (C.D. Cal.). But companies should also ensure that influencers properly disclose any incentives and other material connections.

For more intellectual property legal news, click here to visit the National Law Review.

©2023 Pierce Atwood LLP. All rights reserved.

Top Legal News of 2022: A Review of the Most Notable and Newsworthy Thought Leadership from the National Law Review’s Contributors

Happy New Year from the National Law Review! We hope that the holiday season has been restful and rejuvenating for you and your family. Here at the NLR, we are wrapping up the second season of our legal news podcast, Legal News Reach. Check out episode seven here: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! A few weeks ago, we also announced the winners of our 2022 Go-To Thought Leadership Awards! Each year, around 75 recipients are selected for their timely and high-quality contributions to the National Law Review. This year’s slate of winners was particularly competitive – to see the full list, check out our 2022 National Law Review Thought Leadership Awards page.

As we look forward to a bright and busy 2023 for the legal industry, it is more prudent than ever to review the previous year and all that came with it. 2022 was a chaotic and monumental year for not only the legal profession, but for the world at large. The invasion of Ukraine, global supply chain issues, and the ongoing coronavirus pandemic were only some of the many challenges all industries and sectors faced. In the United States, companies and employers dealt with enormous changes at every level, including but not limited to the reversal of Roe v. Wade, shifting attitudes toward cannabis legalization, and ever-changing standards for COVID-19 vaccinations.

Read on below for some thought leadership highlights from this past year, and for a reminder of all that we’ve passed through in 2022:

January

Most prominently in 2022, the US Supreme Court handed down substantial rulings for coronavirus vaccine mandates, which affected not only healthcare workers but all employers across the country. With a 6-3 majority, SCOTUS stayed the Biden Administration’s OSHA Emergency Temporary Standard that applied to all private employers, but simultaneously ruled in a 5-4 majority that issued a 5–4 unsigned majority that vaccine mandates for medical facilities and medical workers can remain.

January also saw noteworthy changes to labor law in the United States, inviting a handful of significant standard changes for all employers. At the end of 2021 and early in 2022, the NLRB considered cases that altered the standard for determining independent contractor status, as well as the standard that established whether a facially neutral work rule violates Section 8(a)(1) of the National Labor Relations Act. These changes also paved the way for briefings on determining appropriate bargaining units.

Read January 2022’s thought leadership focusing on Labor and Employment law and the related Supreme Court rulings  below for more information:

Supreme Court Stays Private Vaccine Mandate; Upholds Requirement for Certain Healthcare Workers

On Again, Off Again Vaccine Mandates: What Should Employers Do Now?

NLRB Rings in the New Year by Inviting Briefing on Multiple, Far-Reaching Standards Impacting Employers

February

On February 24, 2022, Russia launched a large-scale ground invasion of Ukraine, leading to considerable damage and loss of life and throwing the geopolitical landscape into chaos. Both in February and in the months since, the Russia-Ukraine war has placed an extraordinary  strain on the global supply chain and businesses around the world, as the European Union, the United Kingdom, and the United States have continued to enforce sanctions and trade regulations. Companies must be careful to comply with these orders as the political landscape continues to change and learn how to juggle the dual headaches of the lingering COVID crisis and evolving Ukrainian war

Domestically, President Biden nominated Ketanji Brown Jackson to the US Supreme Court. Succeeding Justice Stephen Breyer, Judge Jackson graduated magna cum laude from Harvard University in 1992 and cum laude from Harvard Law in 1996 and has since served as a judge on the U.S. Court of Appeals for the District of Columbia Circuit. She is the first African American woman to serve on the United States’ highest court of law.

Read select thought leadership articles below for more information:

President Biden Nominates D.C. Circuit Judge Ketanji Brown Jackson to U.S. Supreme Court

Russian Invasion of Ukraine Triggers Global Sanctions: What Businesses Need to Know

Consequences from the Ukrainian Conflict

March

March of 2022 saw the long term  impacts from the military conflict in Ukraine emerge locally and around the world. Sanctions continued to affect businesses, leading to global supply chain slowdowns and difficulties in manufacturing and shipping and new immigration changes and challenges. In the US, the Securities and Exchange Commission “SEC” issued new and noteworthy regulations regarding Environmental, Social & Corporate Governance “ESG” and climate change disclosures for public companies. The Supreme Court also heard oral argument for a large slate of cases, perhaps most notably in ZF Auto. US v. Luxshare, Ltd. and AlixPartners v. The Fund for Prot. of Inv. Rights in Foreign States, which interpreted provisions of Title 28 of the US Code’s (“Section 1782”) reach in seeking US-style discovery from a interested party to a foreign proceeding and whether or not ection 1782 can be used to obtain key information for private international arbitrations.

Read key thought leadership articles published in March for more details:

SEC Issues Long-Awaited Proposed Rule on Climate Disclosures

U.S. Supreme Court Hears Oral Argument on Circuit Split Over Scope of 28 U.S.C. § 1782 for Obtaining Discovery in International Arbitrations

The Effects of the Military Conflict in Ukraine on Supply Contracts

April

In April of 2022, the Biden Administration made notable changes to the National Environmental Policy Act, better known as NEPA, which had been substantially altered under the Trump Administration. A number of key provisions were returned to their pre-Trump state in order to better center the administration’s larger focus on environmental justice. Also of note, a US court for the first time contested the Center for Disease Control’s  “CDC’s” travel mask mandate, on the grounds that it exceeded the CDC’s Statutory Authority under the Administrative Procedure Act “the federal APA”. This ultimately led to a vacating of the COVID travel mask mandate on a nationwide basis.

Elon Musk announced his intention to purchase Twitter in April of 2022, as well. Twitter ultimately adopted a shareholder rights plan, known as a poison pill, in hopes of preventingMusk’s hostile takeover. Poison pills are widely regarded as the an effective but a draconian anti-takeover defense available.

Read select  thought leadership articles below for more information:

Biden Administration Walks Back Key Trump Era NEPA Regulation Changes

Twitter Board of Directors Adopts a Poison Pill

Administrative Law Takeaways from the Federal Travel Mask Mandate Decision

May

On May 17th, the first case of Monkeypox in the United States was reported in Massachusetts. In response, the Environmental Protection Agency “EPA” and the federal government implemented a number of policy changes in hopes of preventing a wider spread, including the speedy authorization of anti-Monkeypox claims for certain registered pesticides and disinfectant products.

The SEC and administrative law at large received a considerable blow after the Fifth Circuit’s ruling in Jarkesy v. SEC. The Fifth Circuit Court held that the SEC in-house courts violated a series of constitutional protections, which may result in far-reaching impacts for how administrative bodies are used to regulate in the future. Additionally in May, the Senate confirmed Commissioner Alvaro Bedoya for the Federal Trade Commission “FTC”, shifting the balance of power back at the Commission in favor of the Democratic Party.

Read the following highlighted thought leadership articles published in May  for more information:

EPA Authorizes Anti-Monkeypox Claims for Pre-Designated Disinfectant Products

Fifth Circuit Holds That SEC Administrative Law Courts Are Unconstitutional

Big News at The FTC: Democrats Finally Get the Majority Back

June

In June of 2022, the Supreme Court released its decision in Dobbs v. Jackson, reversing Roe v. Wade’s 50-year precedent of ensuring abortion as a  protected right. Dobb’s is a  momentous decision and has resulted in a myriad of complex issues for employers, healthcare providers and individuals, including the updating of employee policies, healthcare provisions, ethical and criminal considerations for healthcare providers and the protection of personal data, and ultimately represents a massive shift away from women’s bodily autonomy in the United States. And the partial advance leak of the Dobb’s ruling, added to the myriad of concerns about the stability and public perception of the Supreme Court.

Other notable litigation and legislation in June included the passing of the Uyghur Forced Labor Prevention Act, subjecting the importers of raw materials from China to new enforcement provisions. The Supreme Court also ruled in West Virginia v. EPA, limiting the SEC’s ability to enforce ESG requirements on public companies. The West Virginia v. EPA ruling  presents a considerable obstacle for the Biden Administration’s ongoing climate goals.

Read select legal news  articles below for more information:

Employment Law This Week: SCOTUS Overturns Roe v. Wade – What Employers Should Consider [VIDEO]

Uyghur Forced Labor Prevention Act Enforcement Starts on Imports from China and on Imports with China Origin Inputs

Implications of West Virginia v. EPA on Proposed SEC Climate Rules

July

July of 2022 saw a great deal of changes for the Equal Opportunity Commission’s “EEOC’s” COVID testing guidance for employers. The largest change is determining if testing is needed to prevent workplace transmission and interpreting the business necessity standard under the American with Disabilities Act “ADA”.. The labor law landscape around the country also saw an increased focus on pay transparency laws – most notably, New York state passed a bill requiring employers to post salary or wage ranges on all job listings. Notably, this law is quite similar to one already in effect in New York City and Washington state, Colorado, and Jersey City.

Beginning most prominently in July, the cryptocurrency world also found itself under increased scrutiny by the federal government. Of note this month, the SEC filed a complaint against certain Coinbase employees, alleging insider trading and claiming that these employees had tipped off others regarding Coinbase’s listing announcements. This move was one of the more aggressive moves made by the SEC toward the digital asset industry.

Read select legal thought leadership articles published in July for more information:

EEOC Revises COVID-19 Testing Guidance for Employers

SEC v. Wahi: An Enforcement Action that Could Impact the Broader Crypto / Digital Assets Industry

Pay Transparency Laws Are All The Rage: Looks Like New York State Is Joining the Party

August

On August 12, 2022, the Inflation Reduction Act (“IRA”) was passed by Congress, representing enormous changes for industries across the country. Perhaps most notably, the landmark legislation contained new government incentives for the clean energy sector, creating tax incentives for renewable energy projects that previously did not exist. The Act also included 15% alternative minimum corporate tax and a 1% excise tax on stock buybacks to raise government revenue.

The Inflation Reduction Act also provided significant funding for tribal communities, including but not limited to the reduction of drug prices, the lowering of energy costs, and additional federal infrastructure investments. While the funding is not as significant as COVID relief from previous years and there are still some remaining hurdles, the IRA provides groundbreaking new opportunities for Native communities, including those in Alaska and Hawaii.

Read the select legal articles published in August for more information:

The Inflation Reduction Act: How Do Tribal Communities Benefit?

The Inflation Reduction Act: A Tax Overview

Relief Arrives for Renewable Energy Industry – Inflation Reduction Act of 202

September

In September of 2022, Hurricane Ian made landfall in the United States, caused substaintial property damage and loss of life despite preparations ahead of time. After addressing safety concerns, policyholders began reviewing their insurance policies, collecting documentation and filing claims. In addition to filing claims for property damage, corporate policyholders also filed claims for business interruption and loss of business income.

Lawsuits opposing the remaining COVID-19 vaccine mandates also continued throughout the month of September, exceeding 1,000 complaints nationally. Previously, lawsuits had largely targeted the Biden Administration, but additional focus was also directed toward large employers with vaccine mandates.

Of global significance, Queen Elizabeth II, the UK’s longest reigning monarch, passed away at 96 years old. Her funeral was held September 19, 2022, and was a national holiday in the United Kingdom marking the last day of public mourning.

Read following key thought leadership articles on Hurrican Ian, UK Bank Holiday due to the Sovereign’s passing and Employer’s COVID Mandate headaches  for more information:

Hurricane Ian – Navigating Insurance Coverage

Bank Holiday Announced for Her Majesty Queen Elizabeth II’s State Funeral

Challenges Against Employer COVID-19 Vaccine Mandates Show No Sign of Slowing

October

October saw forward movement in environmental justice, cannabis decriminalization, and Artificial Intelligence  “AI” regulation. The EPA launched their new Office of Environmental Justice and External Civil Rights, to work with state, local, and tribal partners providing financial and technical support to underserved communities disproportionately impacted by the ill effects of climate change. The EPA’s new office has 200 staff members across 10 regions and is expected to provide a unifying focus on civil rights and environmental justice for the EPA and federal government as a whole.

President Biden’s pardon of federal marijuana charges and mandate to review the plant’s Schedule I status signaled a shift in cannabis regulation, with the president urging state officials to follow his example and consider the contrast between wealthy cannabis business owners and those imprisoned for possession in the recent past.

Later in the month, the White House Office of Science and Technology Policy addressed the swell of artificial intelligence technology with their Blueprint for an AI Bill of Rights, which provides guidelines to prevent privacy violations, implicit bias, and other forms of foreseeable harm.

Read selected thought leadership articles below for more information:

EPA Launches Their New Office: What Does the Office of Environmental Justice and External Civil Rights Mean for Companies and ESG in the United States?

“Up in Smoke?” President Biden Announces Pardons and Orders Review of Cannabis Classification

The White House’s AI Bill of Rights: Not for the Robots

November

November was dominated by a nail-biting midterm election season, a cryptocurrency catastrophe, and NDA (Non Disclosure Agreement) reform. While the midterms did not result in a Red Wave as expected, Republicans were able to regain a small majority in the House of Representatives, with the Senate remaining in Democratic control.

The digital finance world was considerably less stable, with the second largest cryptocurrency trading platform, FTX, filing for bankruptcy three days after its lawyers and compliance staff abruptly resigned. The collapse brought into stark relief the importance of solidifying the cryptocurrency custody and insurance landscape.

Also of note, President Biden signed the Speak Out Act, rendering unenforceable nondisclosure and nondisparagement agreements signed prior to incidents of sexual harassment or assault. The law’s passage offers employers the opportunity to review their states’ more robust laws in this area and ensure clauses meant to protect trade secrets and proprietary information don’t inadvertently create issues for sexual misconduct claimants.

Read select  thought leadership articles below fora deeper dive:

2022 Midterm Election Guide

The Spectacular Fall of FTX: Considerations about Crypto Custody and Insurance

Nondisclosure and Nondisparagement Agreements in Sexual Harassment and Assault Cases: Speak Out Act Heads to President’s Desk

December

In December, the Federal Trade Commission (FTC) released their hotly anticipated “Green Guides” amendment proposals, intended to combat greenwashing amidst growing demand for environmentally friendly products. The amended Guides for the Use of Environmental Marketing Claims would impose stricter standards for the use of terms such as “recyclable,” “compostable,” “organic,” and “sustainable” in advertising and on packaging.

Meanwhile, Congress narrowly avoided a railroad worker strike by passing Railway Labor Act legislation affirming all tentative agreements between rail carriers and unions. The contracts included a roughly 24% increase in wages over 4-5 years, along with an extra day of leave. Biden promised to address paid leave further in the near future.

The National Labor Relations Board (NLRB) closed out 2022 with a number of impactful decisions favoring workers. Employees have expanded remedies for National Labor Relations Act violations and protection during Section 7 questioning, while employers have the burden of proof when seeking to expand micro-units or deny union protestors.

Read select legal thought leadership pieces below for more details:

Congress Votes to Impose Bargaining Agreement to Avoid Nationwide Railroad Strike

FTC Starts Long-Awaited Green Guides Review

NLRB Issues Flurry of Blockbuster End-of-Year Decisions (With More to Come?) (US)

Thank you to our dedicated readers and as always to our highly regarded contributing authors and our talented NLR editorial staff for working day in and day out to produce one of the most well read and reputable business law publications in the US.  Have a happy 2023!

Copyright ©2023 National Law Forum, LLC

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

Nineteen States Have Banned TikTok on Government-Issued Devices

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.
For more Cybersecurity Legal News, click here to visit the National Law Review.