Category: Communication Media & Internet

IP Rights in Virtual Fashion: Lessons Learned in 2022 and Unanswered Questions

There was a lot of talk and much hype about the “metaverse” in 2022. While some were skeptical and stayed on the sidelines to watch, many companies began offering virtual counterparts to their real-world products for use by avatars in the metaverse, including virtual clothing and accessories. For example, Tommy Hilfiger live-streamed a virtual fashion show on Roblox as part of the New York Fashion Week, and Decentraland hosted a Metaverse Fashion Week. Many companies also introduced NFTs into fashion product lines, such as Alo’s NFT offering.

The emergence of virtual goods has generated novel questions about how to protect and enforce IP rights in virtual fashion, and how those strategies might differ from IRL (meaning “in real life”) fashion. Although many questions remain unanswered, this article sets out important considerations for how companies might use various IP laws to protect virtual fashion goods in the United States.

I. DISTINCTIONS BETWEEN VIRTUAL FASHION AND IRL FASHION

Before diving into the IP discussion, it’s worth highlighting some distinctions between virtual fashion and IRL fashion outside the legal context, beyond the obvious fact that virtual fashion is worn by avatars. IRL clothing and accessories are worn primarily for protection against the elements, to conform to societal standards, to conform with a specific event’s dress requirements, to communicate via express messages on clothing or accessories, or to express oneself through the style or design of the clothing.

Virtual fashion can also serve each of those purposes for an avatar, and in some cases the person behind the avatar. But, because it is comprised of software code, the possibilities for virtual fashion utility are endless. For example, a particular piece of virtual clothing can also grant access to certain virtual spaces or events or give the avatar special powers within virtual worlds. If tied to an NFT (non-fungible token), virtual clothing can also provide benefits on and off virtual platforms, including exclusive access to sales promotions and IRL events.

Unlike IRL clothing, however, virtual fashion items currently face compatibility limitations, as the ability to use any virtual fashion item across all virtual platforms is unlikely.

To muddy the waters, as virtual and augmented reality technologies are becoming more popular, they can blur the lines between IRL and virtual fashion. For example, an IRL sweatshirt, when viewed through an appropriate lens, could feature virtual components.

II. IP PROTECTION FOR VIRTUAL FASHION

Because there are no IP laws specific to virtual fashion items, we must seek protection from laws that have traditionally applied to real-life clothing, namely, trademark, trade dress, copyright, and design patent. But the application of these laws can sometimes differ in the virtual context. Each is addressed below.

A. TRADEMARK

Trademark law protects source identifiers such as words, names, logos, and slogans. Obtaining trademark rights specifically in virtual goods, whether acquired through use in commerce or federal registration, is generally straightforward and similar to marks covering IRL fashion. This is evidenced by many marks that were registered in 2022 and specifically cover virtual goods.

That said, even if a company does not have trademark coverage specifically for its virtual goods, the owner of a trademark covering IRL fashion items should have strong arguments that such trademark rights extend to their virtual counterparts. To that point, the U.S. Patent & Trademark Office (USPTO) has refused registration of marks covering virtual goods and services based on prior registrations for the identical marks covering the corresponding IRL goods and services. See, e.g., the refusals of Application No. 97112038 for the mark GUCCI and Application No. 97112054 for the mark PRADA, each of which were filed by parties unrelated to the famous brands.

However, for purposes of enforcement outside of the USPTO context, if a defendant’s goods are virtual, it would have a stronger argument that such goods are not commercial products, but rather expressive works protected by the First Amendment. If a court accepts such an argument, it must then weigh the plaintiff’s trademark rights against the defendant’s First Amendment right of free expression, meaning it would be more challenging for a brand owner to enforce its trademark rights.

In this regard, please see our earlier alert regarding the Hermès v. Rothschild case, in which the court deemed NFTs tied to images of bags called “MetaBirkins” subject to First Amendment protection. [1] In denying Rothschild’s motion to dismiss, the court acknowledged in a footnote that virtually wearable bags (i.e., as opposed to virtual fashion that is displayable but not wearable) might not be afforded First Amendment protection. But we suspect defendants will argue even virtually wearable items should be afforded First Amendment protection, especially given that video games have received such protection. [2]

On balance, companies should consider seeking federal trademark registration specifically for virtual goods and services, for a few reasons:

More direct coverage could help a company in an enforcement action against infringing virtual goods, even if the defendant successfully argues it should be entitled to First Amendment protection. For instance, if the plaintiff has direct coverage for virtual goods, it may be easier to prove the defendant’s use of the mark was “explicitly misleading” under the Rogers test. [3]

Certain platforms featuring virtual fashion items may only honor a takedown request if the complainant company has a federal registration covering goods that are the same or nearly identical to the allegedly infringing virtual goods.

The registration will provide a presumption of valid trademark rights nationwide, and it may serve as a deterrent to third parties wishing to use confusingly similar marks in virtual worlds.

B. TRADE DRESS

U.S. trademark law also protects certain source-identifying elements of a product’s aesthetic design, configuration/shape, and packaging, often referred to as “trade dress.” To obtain trade dress protection, such elements must be (1) non-functional and (2) distinctive (either inherently or acquired through use). There are a couple of interesting nuances with respect to acquiring trade dress protection in the virtual context.

First, although we have not yet seen any case law specifically addressing this, companies will likely have stronger arguments that virtual shape or design elements (as opposed to IRL elements) are non-functional. Specifically, the non-functionality requirement means the relevant elements must not be essential to the use or purpose or affect the cost or quality of the article. For real-life fashion items, this can be difficult to meet due to the inherently functional nature of many aspects of clothing or accessories. However, because virtual fashion items are essentially software code with endless possibilities, in many instances the fashion item will not require any particular design or shape to function.

Second, some virtual fashion items could receive more favorable treatment from a distinctiveness perspective. The distinctiveness requirement has historically been a difficult barrier for protecting IRL fashion. Specifically, case law prior to 2022 established that, while packaging can sometimes be inherently distinctive, product design and configuration/shape can never be, meaning companies must prove such elements have acquired distinctiveness. Proving acquired distinctiveness is burdensome because the company must have used the elements extensively, substantially exclusively, and continuously for a period of time. Often, by the time a company can acquire distinctiveness in the design, the design is no longer in style. Or, if a design is popular and copied by third parties, it can be difficult for the company to claim it used the design substantially exclusively.

If, however, a virtual fashion item provides the user with benefits that go beyond merely outfitting the avatar, such as by providing access to other products or services, one might argue that those items should be construed as packaging, or some new category of trade dress, for such other products or services, in which case the elements could possibly be deemed inherently distinctive with respect to those other products or services.

That said, if a company already has trade dress protection for IRL fashion goods, it should have good arguments that the protection extends to any virtual counterpart. On the flipside, given the difficulties companies typically face in seeking trade dress protection in IRL fashion, to the extent they can obtain trade dress protection in a virtual counterpart more easily, perhaps it can argue the rights in any virtual goods should also extend to the physical counterpart. Or, if a company introduces a physical design and virtual design simultaneously, it could possibly acquire distinctiveness in both sooner, as the simultaneous use would presumably create greater exposure to more customers and reinforce the source-identifying significance of the alleged elements.

With respect to enforcement, like traditional marks, defendants are more likely to raise a successful First Amendment defense for any virtual products allegedly infringing trade dress. The Hermès case is again an example of this, as Hermès alleged infringement of both its BIRKIN word mark and the trade dress rights in the design of its handbags, and the court held that the defendant’s MetaBirkin NFTs were entitled to the First Amendment protection.

Finally, although obtaining trade dress protection is typically more difficult than obtaining trademark protection for traditional marks such as words and logos, companies should also consider seeking registration for trade dress in virtual goods, particularly for important designs that are likely to carry over from season to season, for the same reasons discussed in the trademark section above.

C. COPYRIGHT

Copyright protects original works of authorship that contain at least a modicum of creativity, which is a relatively low bar. However, copyright does not protect useful articles. In effect, for IRL fashion items, copyright generally extends only to those designs that would be entitled to copyright protection if they were extracted or removed from the clothing or viewed on a different medium, and not to the shape of the fashion item itself.

Like trade dress protection, copyright protection should provide companies with greater protection for virtual fashion items than would be available for IRL items, particularly because the software behind the virtual fashion can theoretically create an infinite number of clothing shapes that are creative and not necessarily “useful.” Nonetheless, if a virtual clothing item is merely shaped like its IRL counterpart that lacks originality (e.g., a virtual t-shirt shaped like a basic real-life t-shirt), it may also fail to qualify for copyright protection based on a lack of creativity.

Unlike trade dress protection, however, copyright protection arises immediately upon creation of the work and its fixation in a tangible medium of expression, so it can be a useful tool for protecting virtual fashion without having to spend the time and resources required to seek registration as trade dress and establish acquired distinctiveness.

In addition, unlike IRL fashion, a separate copyright protects the underlying source code for virtual clothing items, which could provide owners with an additional, though likely limited, claim against unauthorized source code copycats.

A copyright registration will provide owners with the ability to sue for copyright infringement, but companies should balance:

  • the benefits of seeking potentially broader copyright protection in virtual fashion items (apart from the code) than it would for IRL items with the risks of conceding that virtual fashion items are works of art entitled to First Amendment protection, which would make trademark and trade dress enforcement more difficult; and
  • the benefits of obtaining any copyright registration for source code with the benefits of keeping the source code secret (although the Copyright Office permits some redactions, significant portions are required to be deposited into the public record).

We are unaware of any 2022 case law specifically addressing copyright in virtual fashion. However, the following cases are worth watching:

  • Andy Warhol Found. for Visual Arts, Inc. v. Goldsmith[4]: In October 2022, the U.S. Supreme Court heard arguments regarding whether Andy Warhol’s “Prince Series” silk screen prints and pencil drawings based on a photograph infringed the photographer’s copyright, or whether they were sufficiently “transformative” to constitute fair use. The outcome of this case could affect a copyright owner’s ability to enforce copyrights against unauthorized digital reproductions of its work, especially if the original work is fixed in a physical medium (e.g., enforcing copyright in a physical clothing item against a third party’s digital reproduction).
  • Thaler v. Perlmutter[5]: Filed in June 2022, the plaintiff is suing the U.S. Copyright Office for refusing registration of an AI-created image because there was no human author. The outcome of this case will necessarily implicate virtual fashion incorporating any AI-generated work.

D. DESIGN PATENT

Design patents protect the ornamental appearance or look of a unique product. Specifically, they protect any new, original, and ornamental design for an article of manufacture. Traditionally, this law was interpreted to require that the article of manufacture is a physical or tangible product. Thus, in the fashion industry for example, one can file a design patent application directed to a unique shoe, handbag, or jewelry design. Historically, an image or picture would not qualify for design patent protection.

However, the USPTO is currently assessing design patents with respect to new technologies such as projections, holograms, and virtual and augmented reality. In December 2020, the USPTO issued a request for public comment regarding a potential rule change to the “article of manufacture” requirement and whether U.S. law should be revised to protect digital designs. Public opinion was mixed, and in April 2022, the USPTO issued a summary of this requested information.

Although the USPTO has not yet formally revised the rules, it has issued guidelines over the years that provide examples of non-physical products that could be protected by a design patent, suggesting changes may ultimately be coming to U.S. design patent law. For example, in 1995, the USPTO released guidelines for design patent applications claiming computer-generated icons. In general, to be eligible for protection, the computer-generated icon must be embodied in a computer screen monitor, or other display monitor. The USPTO has also issued guidance allowing type font to be protectable by design patents. However, it is still unclear whether the USPTO will set forth design patent guidance specific to digital designs or virtual fashion.

Notwithstanding the possibility of obtaining a design patent specifically on such virtual goods, courts have been reluctant to find that a virtual product infringes the design patent for an IRL product. For example, in 2014, in P.S. Products, Inc. v. Activision Blizzard, Inc.,[6] P.S. Products accused Activision of infringing its design patent directed to a stun gun by depicting a virtual weapon in its video game that P.S. Products claimed resembled its patent-protected IRL product.

The court found there was no infringement because “no ordinary observer would be deceived into purchasing a video game believing it to be plaintiffs’ patented stun gun.” This case may have come out differently if the virtual gun was sold separately from the video game and could be used across various platforms rather than being one component of a particular video game. Although there are still software compatibility restrictions for virtual goods, portability of virtual goods is likely to grow as technology evolves and companies respond to consumer demands.

While we wait for further USPTO guidance that ultimately may have application to virtual fashion, parties seeking design patent protection may consider simultaneously filing one application to protect the work as a digital design on a display screen, like a patentable computer-generated icon, and a second, traditional design patent application to protect the design as a tangible product. That said, companies should consider other options for protecting any designs created by AI, as the Federal Circuit Court of Appeals held in 2022 that AI cannot qualify as an inventor for purposes of obtaining a patent.[7]

III. Virtual Fashion in Practice

Contracts relating to virtual fashion are analogous to contracts for IRL fashion and should be structured accordingly. For instance, companies should ensure that contracts with IP contributors include an assignment of all IP rights, or at least a sufficiently broad license. In the virtual context, this includes rights to the software code itself. Likewise, downstream licensing should generally address ownership, licensee rights, and if applicable, confidentiality for any trade secrets in the source code. In addition, for both IP contributors and licensees, if AI software is used in any part of the creative process, companies should give thought to allocation of ownership.

In addition, some designers or marketing teams may prefer to encourage a brand’s customer base to copy its designs or create derivative works. Although this seems counterintuitive (especially to an IP lawyer), many players in the Web3 space encourage others to build off their own designs. For example, the Bored Ape Yacht Club (BAYC), known for issuing NFTs tied to images of apes, grants owners of its NFTs the rights to use the images of apes, including for commercial purposes.[8] For example, one purchaser of a Bored Apt NFT created a Bored Ape-themed restaurant.

In the virtual fashion context, if a marketing team wants customers to build off the brand’s virtual designs but wants to retain ownership of its own designs (and perhaps derivatives), it should implement standard licensing terms relating to ownership, customer licensee rights, and other provisions. However, it’s important to consider how the terms are presented and how customers indicate assent to maximize the prospects of enforceability.

From a business perspective, companies can also now use NFTs and smart contracts to receive automatic royalties in any downstream sales or licenses. And because NFTs use blockchain technology, which provides an immutable chain of title, third parties will be able to trace such designs to the original source. This means companies can encourage the sharing of designs and receive royalties in connection with the downstream licensing of designs tied to NFTs, and third parties can confirm that the designs are legitimate by reviewing the relevant blockchain ledger. Accordingly, although encouraging customers to use the brand’s designs may not be a model for every brand, there are some steps brands can take to protect the IP rights associated with them and reap financial benefits.

As virtual fashion items become more popular, companies are faced with uncertainties and novel questions regarding how to protect and enforce their IP rights. In 2022, some questions were answered, but many more remain open. Therefore, it is important to discuss strategies for protecting innovative virtual fashion with IP counsel.

FOOTNOTES

[1] Notably, on December 30, 2022, the Hermès court denied both parties’ motions for summary judgment, with an opinion to follow by January 20. A jury trial is scheduled to begin on January 30, 2023. Hermès International, et al. v. Mason Rothschild, 1:22-cv-00384-JSR (S.D.N.Y.).

[2] See, e.g., AM Gen. LLC v. Activision Blizzard, Inc., 450 F. Supp. 3d 467, 485 (S.D.N.Y. 2020).

[3] If a defendant’s unauthorized use of a mark is protected by the First Amendment, many courts use the Rogers test to balance the plaintiff’s trademark rights with the defendant’s First Amendment right of expression. This test looks at whether the defendant’s use of the plaintiff’s mark was artistically relevant and, if so, whether it was explicitly misleading. Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989).

[4] 11 F.4th 26 (2d Cir. 2021), cert. granted, 142 S. Ct. 1412 (2022).

[5] Case No. 1:22-cv-01564 (D.D.C.).

[6] 140 F. Supp. 3d 795, 802 (E.D. Ark. 2014).

[7] Thaler v. Vidal, 43 F.4th 1207, 1213 (Fed. Cir. 2022).

[8] We will save for another day a discussion of the recent lawsuit against BAYC and many celebrities for failing to disclose financial incentives when promoting the BAYC NFT collection, and instead focus here on IP protection. Adonis Real, et al., v. Yuga Labs, Inc., et al., 2:22-cv-08909 (C.D. Cal.). But companies should also ensure that influencers properly disclose any incentives and other material connections.

For more intellectual property legal news, click here to visit the National Law Review.

©2023 Pierce Atwood LLP. All rights reserved.

Top Legal News of 2022: A Review of the Most Notable and Newsworthy Thought Leadership from the National Law Review’s Contributors

Happy New Year from the National Law Review! We hope that the holiday season has been restful and rejuvenating for you and your family. Here at the NLR, we are wrapping up the second season of our legal news podcast, Legal News Reach. Check out episode seven here: Creating A Diverse, Equitable and Inclusive Work Environment with Stacey Sublett Halliday of Beveridge & Diamond! A few weeks ago, we also announced the winners of our 2022 Go-To Thought Leadership Awards! Each year, around 75 recipients are selected for their timely and high-quality contributions to the National Law Review. This year’s slate of winners was particularly competitive – to see the full list, check out our 2022 National Law Review Thought Leadership Awards page.

As we look forward to a bright and busy 2023 for the legal industry, it is more prudent than ever to review the previous year and all that came with it. 2022 was a chaotic and monumental year for not only the legal profession, but for the world at large. The invasion of Ukraine, global supply chain issues, and the ongoing coronavirus pandemic were only some of the many challenges all industries and sectors faced. In the United States, companies and employers dealt with enormous changes at every level, including but not limited to the reversal of Roe v. Wade, shifting attitudes toward cannabis legalization, and ever-changing standards for COVID-19 vaccinations.

Read on below for some thought leadership highlights from this past year, and for a reminder of all that we’ve passed through in 2022:

January

Most prominently in 2022, the US Supreme Court handed down substantial rulings for coronavirus vaccine mandates, which affected not only healthcare workers but all employers across the country. With a 6-3 majority, SCOTUS stayed the Biden Administration’s OSHA Emergency Temporary Standard that applied to all private employers, but simultaneously ruled in a 5-4 majority that issued a 5–4 unsigned majority that vaccine mandates for medical facilities and medical workers can remain.

January also saw noteworthy changes to labor law in the United States, inviting a handful of significant standard changes for all employers. At the end of 2021 and early in 2022, the NLRB considered cases that altered the standard for determining independent contractor status, as well as the standard that established whether a facially neutral work rule violates Section 8(a)(1) of the National Labor Relations Act. These changes also paved the way for briefings on determining appropriate bargaining units.

Read January 2022’s thought leadership focusing on Labor and Employment law and the related Supreme Court rulings  below for more information:

Supreme Court Stays Private Vaccine Mandate; Upholds Requirement for Certain Healthcare Workers

On Again, Off Again Vaccine Mandates: What Should Employers Do Now?

NLRB Rings in the New Year by Inviting Briefing on Multiple, Far-Reaching Standards Impacting Employers

February

On February 24, 2022, Russia launched a large-scale ground invasion of Ukraine, leading to considerable damage and loss of life and throwing the geopolitical landscape into chaos. Both in February and in the months since, the Russia-Ukraine war has placed an extraordinary  strain on the global supply chain and businesses around the world, as the European Union, the United Kingdom, and the United States have continued to enforce sanctions and trade regulations. Companies must be careful to comply with these orders as the political landscape continues to change and learn how to juggle the dual headaches of the lingering COVID crisis and evolving Ukrainian war

Domestically, President Biden nominated Ketanji Brown Jackson to the US Supreme Court. Succeeding Justice Stephen Breyer, Judge Jackson graduated magna cum laude from Harvard University in 1992 and cum laude from Harvard Law in 1996 and has since served as a judge on the U.S. Court of Appeals for the District of Columbia Circuit. She is the first African American woman to serve on the United States’ highest court of law.

Read select thought leadership articles below for more information:

President Biden Nominates D.C. Circuit Judge Ketanji Brown Jackson to U.S. Supreme Court

Russian Invasion of Ukraine Triggers Global Sanctions: What Businesses Need to Know

Consequences from the Ukrainian Conflict

March

March of 2022 saw the long term  impacts from the military conflict in Ukraine emerge locally and around the world. Sanctions continued to affect businesses, leading to global supply chain slowdowns and difficulties in manufacturing and shipping and new immigration changes and challenges. In the US, the Securities and Exchange Commission “SEC” issued new and noteworthy regulations regarding Environmental, Social & Corporate Governance “ESG” and climate change disclosures for public companies. The Supreme Court also heard oral argument for a large slate of cases, perhaps most notably in ZF Auto. US v. Luxshare, Ltd. and AlixPartners v. The Fund for Prot. of Inv. Rights in Foreign States, which interpreted provisions of Title 28 of the US Code’s (“Section 1782”) reach in seeking US-style discovery from a interested party to a foreign proceeding and whether or not ection 1782 can be used to obtain key information for private international arbitrations.

Read key thought leadership articles published in March for more details:

SEC Issues Long-Awaited Proposed Rule on Climate Disclosures

U.S. Supreme Court Hears Oral Argument on Circuit Split Over Scope of 28 U.S.C. § 1782 for Obtaining Discovery in International Arbitrations

The Effects of the Military Conflict in Ukraine on Supply Contracts

April

In April of 2022, the Biden Administration made notable changes to the National Environmental Policy Act, better known as NEPA, which had been substantially altered under the Trump Administration. A number of key provisions were returned to their pre-Trump state in order to better center the administration’s larger focus on environmental justice. Also of note, a US court for the first time contested the Center for Disease Control’s  “CDC’s” travel mask mandate, on the grounds that it exceeded the CDC’s Statutory Authority under the Administrative Procedure Act “the federal APA”. This ultimately led to a vacating of the COVID travel mask mandate on a nationwide basis.

Elon Musk announced his intention to purchase Twitter in April of 2022, as well. Twitter ultimately adopted a shareholder rights plan, known as a poison pill, in hopes of preventingMusk’s hostile takeover. Poison pills are widely regarded as the an effective but a draconian anti-takeover defense available.

Read select  thought leadership articles below for more information:

Biden Administration Walks Back Key Trump Era NEPA Regulation Changes

Twitter Board of Directors Adopts a Poison Pill

Administrative Law Takeaways from the Federal Travel Mask Mandate Decision

May

On May 17th, the first case of Monkeypox in the United States was reported in Massachusetts. In response, the Environmental Protection Agency “EPA” and the federal government implemented a number of policy changes in hopes of preventing a wider spread, including the speedy authorization of anti-Monkeypox claims for certain registered pesticides and disinfectant products.

The SEC and administrative law at large received a considerable blow after the Fifth Circuit’s ruling in Jarkesy v. SEC. The Fifth Circuit Court held that the SEC in-house courts violated a series of constitutional protections, which may result in far-reaching impacts for how administrative bodies are used to regulate in the future. Additionally in May, the Senate confirmed Commissioner Alvaro Bedoya for the Federal Trade Commission “FTC”, shifting the balance of power back at the Commission in favor of the Democratic Party.

Read the following highlighted thought leadership articles published in May  for more information:

EPA Authorizes Anti-Monkeypox Claims for Pre-Designated Disinfectant Products

Fifth Circuit Holds That SEC Administrative Law Courts Are Unconstitutional

Big News at The FTC: Democrats Finally Get the Majority Back

June

In June of 2022, the Supreme Court released its decision in Dobbs v. Jackson, reversing Roe v. Wade’s 50-year precedent of ensuring abortion as a  protected right. Dobb’s is a  momentous decision and has resulted in a myriad of complex issues for employers, healthcare providers and individuals, including the updating of employee policies, healthcare provisions, ethical and criminal considerations for healthcare providers and the protection of personal data, and ultimately represents a massive shift away from women’s bodily autonomy in the United States. And the partial advance leak of the Dobb’s ruling, added to the myriad of concerns about the stability and public perception of the Supreme Court.

Other notable litigation and legislation in June included the passing of the Uyghur Forced Labor Prevention Act, subjecting the importers of raw materials from China to new enforcement provisions. The Supreme Court also ruled in West Virginia v. EPA, limiting the SEC’s ability to enforce ESG requirements on public companies. The West Virginia v. EPA ruling  presents a considerable obstacle for the Biden Administration’s ongoing climate goals.

Read select legal news  articles below for more information:

Employment Law This Week: SCOTUS Overturns Roe v. Wade – What Employers Should Consider [VIDEO]

Uyghur Forced Labor Prevention Act Enforcement Starts on Imports from China and on Imports with China Origin Inputs

Implications of West Virginia v. EPA on Proposed SEC Climate Rules

July

July of 2022 saw a great deal of changes for the Equal Opportunity Commission’s “EEOC’s” COVID testing guidance for employers. The largest change is determining if testing is needed to prevent workplace transmission and interpreting the business necessity standard under the American with Disabilities Act “ADA”.. The labor law landscape around the country also saw an increased focus on pay transparency laws – most notably, New York state passed a bill requiring employers to post salary or wage ranges on all job listings. Notably, this law is quite similar to one already in effect in New York City and Washington state, Colorado, and Jersey City.

Beginning most prominently in July, the cryptocurrency world also found itself under increased scrutiny by the federal government. Of note this month, the SEC filed a complaint against certain Coinbase employees, alleging insider trading and claiming that these employees had tipped off others regarding Coinbase’s listing announcements. This move was one of the more aggressive moves made by the SEC toward the digital asset industry.

Read select legal thought leadership articles published in July for more information:

EEOC Revises COVID-19 Testing Guidance for Employers

SEC v. Wahi: An Enforcement Action that Could Impact the Broader Crypto / Digital Assets Industry

Pay Transparency Laws Are All The Rage: Looks Like New York State Is Joining the Party

August

On August 12, 2022, the Inflation Reduction Act (“IRA”) was passed by Congress, representing enormous changes for industries across the country. Perhaps most notably, the landmark legislation contained new government incentives for the clean energy sector, creating tax incentives for renewable energy projects that previously did not exist. The Act also included 15% alternative minimum corporate tax and a 1% excise tax on stock buybacks to raise government revenue.

The Inflation Reduction Act also provided significant funding for tribal communities, including but not limited to the reduction of drug prices, the lowering of energy costs, and additional federal infrastructure investments. While the funding is not as significant as COVID relief from previous years and there are still some remaining hurdles, the IRA provides groundbreaking new opportunities for Native communities, including those in Alaska and Hawaii.

Read the select legal articles published in August for more information:

The Inflation Reduction Act: How Do Tribal Communities Benefit?

The Inflation Reduction Act: A Tax Overview

Relief Arrives for Renewable Energy Industry – Inflation Reduction Act of 202

September

In September of 2022, Hurricane Ian made landfall in the United States, caused substaintial property damage and loss of life despite preparations ahead of time. After addressing safety concerns, policyholders began reviewing their insurance policies, collecting documentation and filing claims. In addition to filing claims for property damage, corporate policyholders also filed claims for business interruption and loss of business income.

Lawsuits opposing the remaining COVID-19 vaccine mandates also continued throughout the month of September, exceeding 1,000 complaints nationally. Previously, lawsuits had largely targeted the Biden Administration, but additional focus was also directed toward large employers with vaccine mandates.

Of global significance, Queen Elizabeth II, the UK’s longest reigning monarch, passed away at 96 years old. Her funeral was held September 19, 2022, and was a national holiday in the United Kingdom marking the last day of public mourning.

Read following key thought leadership articles on Hurrican Ian, UK Bank Holiday due to the Sovereign’s passing and Employer’s COVID Mandate headaches  for more information:

Hurricane Ian – Navigating Insurance Coverage

Bank Holiday Announced for Her Majesty Queen Elizabeth II’s State Funeral

Challenges Against Employer COVID-19 Vaccine Mandates Show No Sign of Slowing

October

October saw forward movement in environmental justice, cannabis decriminalization, and Artificial Intelligence  “AI” regulation. The EPA launched their new Office of Environmental Justice and External Civil Rights, to work with state, local, and tribal partners providing financial and technical support to underserved communities disproportionately impacted by the ill effects of climate change. The EPA’s new office has 200 staff members across 10 regions and is expected to provide a unifying focus on civil rights and environmental justice for the EPA and federal government as a whole.

President Biden’s pardon of federal marijuana charges and mandate to review the plant’s Schedule I status signaled a shift in cannabis regulation, with the president urging state officials to follow his example and consider the contrast between wealthy cannabis business owners and those imprisoned for possession in the recent past.

Later in the month, the White House Office of Science and Technology Policy addressed the swell of artificial intelligence technology with their Blueprint for an AI Bill of Rights, which provides guidelines to prevent privacy violations, implicit bias, and other forms of foreseeable harm.

Read selected thought leadership articles below for more information:

EPA Launches Their New Office: What Does the Office of Environmental Justice and External Civil Rights Mean for Companies and ESG in the United States?

“Up in Smoke?” President Biden Announces Pardons and Orders Review of Cannabis Classification

The White House’s AI Bill of Rights: Not for the Robots

November

November was dominated by a nail-biting midterm election season, a cryptocurrency catastrophe, and NDA (Non Disclosure Agreement) reform. While the midterms did not result in a Red Wave as expected, Republicans were able to regain a small majority in the House of Representatives, with the Senate remaining in Democratic control.

The digital finance world was considerably less stable, with the second largest cryptocurrency trading platform, FTX, filing for bankruptcy three days after its lawyers and compliance staff abruptly resigned. The collapse brought into stark relief the importance of solidifying the cryptocurrency custody and insurance landscape.

Also of note, President Biden signed the Speak Out Act, rendering unenforceable nondisclosure and nondisparagement agreements signed prior to incidents of sexual harassment or assault. The law’s passage offers employers the opportunity to review their states’ more robust laws in this area and ensure clauses meant to protect trade secrets and proprietary information don’t inadvertently create issues for sexual misconduct claimants.

Read select  thought leadership articles below fora deeper dive:

2022 Midterm Election Guide

The Spectacular Fall of FTX: Considerations about Crypto Custody and Insurance

Nondisclosure and Nondisparagement Agreements in Sexual Harassment and Assault Cases: Speak Out Act Heads to President’s Desk

December

In December, the Federal Trade Commission (FTC) released their hotly anticipated “Green Guides” amendment proposals, intended to combat greenwashing amidst growing demand for environmentally friendly products. The amended Guides for the Use of Environmental Marketing Claims would impose stricter standards for the use of terms such as “recyclable,” “compostable,” “organic,” and “sustainable” in advertising and on packaging.

Meanwhile, Congress narrowly avoided a railroad worker strike by passing Railway Labor Act legislation affirming all tentative agreements between rail carriers and unions. The contracts included a roughly 24% increase in wages over 4-5 years, along with an extra day of leave. Biden promised to address paid leave further in the near future.

The National Labor Relations Board (NLRB) closed out 2022 with a number of impactful decisions favoring workers. Employees have expanded remedies for National Labor Relations Act violations and protection during Section 7 questioning, while employers have the burden of proof when seeking to expand micro-units or deny union protestors.

Read select legal thought leadership pieces below for more details:

Congress Votes to Impose Bargaining Agreement to Avoid Nationwide Railroad Strike

FTC Starts Long-Awaited Green Guides Review

NLRB Issues Flurry of Blockbuster End-of-Year Decisions (With More to Come?) (US)

Thank you to our dedicated readers and as always to our highly regarded contributing authors and our talented NLR editorial staff for working day in and day out to produce one of the most well read and reputable business law publications in the US.  Have a happy 2023!

Copyright ©2023 National Law Forum, LLC

Ankura CTIX FLASH Update – January 3, 2023

Malware Activity

Louisiana’s Largest Medical Complex Discloses Data Breach Associated to October Attack

On December 23rd, 2022, the Lake Charles Memorial Health System (LCMHS) began sending out notifications regarding a newly discovered data breach that is currently impacting approximately 270,000 patients. LCMHS is the largest medical complex in Lake Charles, Louisiana, which contains multiple hospitals and a primary care clinic. The organization discovered unusual activity on their network on October 21, 2022, and determined on October 25, 2022, that an unauthorized actor gained access to the organization’s network as well as “accessed or obtained certain files from [their] systems.” The LCMHS notice listed the following patient information as exposed: patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, limited clinical information regarding received care, and Social Security numbers (SSNs) in limited instances. While LCMHS has yet to confirm the unauthorized actor responsible for the data breach, the Hive ransomware group listed the organization on their data leak site on November 15, 2022, as well as posted files allegedly exfiltrated after breaching the LCMHS network. The posted files contained “bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more.” It is not unusual for Hive to claim responsibility for the associated attack as the threat group has previously targeted hospitals/healthcare organizations. CTIX analysts will continue to monitor the Hive ransomware group into 2023 and provide updates on the Lake Charles Memorial Health System data breach as necessary.

Threat Actor Activity

Kimsuky Threat Actors Target South Korean Policy Experts in New Campaign

Threat actors from the North Korean-backed Kimsuky group recently launched a phishing campaign targeting policy experts throughout South Korea. Kimsuky is a well-aged threat organization that has been in operation since 2013, primarily conducting cyber espionage and occasional financially motivated attacks. Aiming their attacks consistently at entities of South Korea, the group often targets academics, think tanks, and organizations relating to inter-Korea relations. In this recent campaign, Kimsuky threat actors distributed spear-phishing emails to several well-known South Korean policy experts. Within these emails, either an embedded website URL or an attachment was present, both executing malicious code to download malware to the compromised machine. One (1) tactic the threat actors utilized was distributing emails through hacked servers, masking the origin IP address(es). In total, of the 300 hacked servers, eighty-seven (87) of them were located throughout North Korea, with the others from around the globe. This type of social engineering attack is not new for the threat group as similar instances have occurred over the past decade. In January 2022, Kimsuky actors mimicked activities of researchers and think tanks in order to harvest intelligence from associated sources. CTIX continues to urge users to validate the integrity of email correspondence prior to visiting any embedded emails or downloading any attachments to lessen the risk of threat actor compromise.

Vulnerabilities

Netgear Patches Critical Vulnerability Leading to Arbitrary Code Execution

Network device manufacturer Netgear has just patched a high-severity vulnerability impacting multiple WiFi router models. The flaw, tracked as CVE-2022-48196, is described as a pre-authentication buffer overflow security vulnerability, which, if exploited, could allow threat actors to carry out a number of malicious activities. These activities include stealing sensitive information, creating Denial-of-Service (DoS) conditions, as well as downloading malware and executing arbitrary code. In past attacks, threat actors have utilized this type of vulnerability as an initial access vector by which they pivot to other parts of the network. Currently, there is very little technical information regarding the vulnerability and Netgear is temporarily withholding the details to allow as many of their users to update their vulnerable devices to the latest secure firmware. Netgear stated that this is a very low-complexity attack, meaning that unsophisticated attackers may be able to successfully exploit a device. CTIX analysts urge Netgear users with any of the vulnerable devices listed in Netgear’s advisory to patch their device immediately.

For more cybersecurity news, click here to visit the National Law Review.

Copyright © 2023 Ankura Consulting Group, LLC. All rights reserved.

Governor Wolf Signs Act 151 Addressing Data Breaches Within Local Entities

On Thursday, November 3, 2022, Governor Tom Wolf signed PA Senate Bill 696, also known as Act 151 of 2022 or the Breach of Personal Information Notification Act.  Act 151 amends Pennsylvania’s existing Breach of Personal Information Notification Act, strengthening protections for consumers, and imposing stricter requirements for state agencies, state agency contractors, political subdivisions, and certain individuals or businesses doing business in the Commonwealth.  Act 151 expands the definition of “personal information,” and requires Commonwealth entities to implement specific notification procedures in the event that a Commonwealth resident’s unencrypted and unredacted personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person.  The requirements for state-level and local entities differ slightly; this Alert will address the impact of Act 151 on local entities.  While this law does not take effect until May 22, 2023, it is critical that all entities impacted by this law be aware of these changes.

For the purposes of Act 151, the term “local entities” includes municipalities, counties, and public schools.  The term “public school” encompasses all school districts, charter schools, intermediate units, cyber charter schools, and area career and technical schools.  Act 151 requires that, in the event of a security breach of the system used by a local entity to maintain, store, or manage computerized data that includes personal information, the local entity must notify affected individuals within seven business days of the determination of the breach.  In addition, local entities must notify the local district attorney of the breach within three business days.

The definition of “personal information” has been updated, and includes a combination of (1) an individual’s first name or first initial and last name, and (2) one or more of the following items, if unencrypted and unredacted:

  • Social Security number;
  • Driver’s license number;
  • Financial account numbers or credit or debit card numbers, combined with any required security code or password;
  • Medical information;
  • Health insurance information; or
  • A username or password in combination with a password or security question and answer.

The last three items were added by this amendment.  Additionally, the new language provides that “personal information” does not include information that is made publicly available from government records or widely distributed media.

Act 151 defines previously undefined terms, drawing a distinction between “determination” and “discovery” of a breach, and setting forth different obligations relating to each.  “Determination,” under the act, is defined as, “a verification or reasonable certainty that a breach of the security of the system has occurred.”  “Discovery” is defined as, “the knowledge of or reasonable suspicion that a breach of the security of the system has occurred.”  This distinction affords entities the ability to investigate a potential breach before the more onerous notification requirements are triggered.  A local entity’s obligation to notify Commonwealth residents is triggered when the entity has reached a determination that a breach has occurred.  Further, any vendor that maintains, stores, or manages computerized data on behalf of a local entity is responsible for notifying the local entity upon discovery of a breach, but the local entity is ultimately responsible for making the determinations and discharging any remaining duties under Act 151.

Another significant update afforded by Act 151 is the addition of an electronic notification procedure.  Previously, notice could be given: (1) by written letter mailed to the last known home address of the individual; (2) telephonically, if certain requirements are met; (3) by email if a prior business relationship exists and the entity has a valid email address; or (4) by substitute notice if the cost of providing notice would exceed $100,000, the affected class of individuals to be notified exceeds 175,000, or the entity does not have sufficient contact information.  Now, in addition to the email option, entities can provide an electronic notice that directs the individual whose personal information may have been materially compromised to promptly change their password and security question or answer, or to take any other appropriate steps to protect their information.

Act 151 also provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must utilize encryption –  this provision originally applied only to employees and contractors of Commonwealth agencies, but was broadened in Act 151.  Further, the act provides that all entities that maintain, store, or manage computerized personal information on behalf of the Commonwealth must maintain policies relating to the transmission and storage of personal information – such policies were previously developed by the Governor’s Office of Administration.

Finally, under Act 151, any entity that is subject to and in compliance with certain healthcare and federal privacy laws is deemed to be in compliance with Act 151.  For example, an entity that is subject to and in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is deemed compliant with Act 151.

Although Act 151 is an amendment to prior legislation, the updates create potential exposure for local entities and the vendors that serve them.  For local municipalities, schools, and counties, compliance will require a proactive approach – local entities will have to familiarize themselves with the new requirements, be mindful of the personal information they hold, and ensure that their vendors are aware of their obligations.  Further, local entities will be required to implement encryption protocols, and prepare and maintain storage and transmission policies.

Originally Published by Babst Calland November 29, 2022. Article By Michael T. Korns and Ember K. Holmes of Babst, Calland, Clements & Zomnir, P.C.

Click here to read more legislative news on the National Law Review website.

© Copyright Babst, Calland, Clements and Zomnir, P.C.

Nineteen States Have Banned TikTok on Government-Issued Devices

Governors of numerous states have issued Executive Orders in the past several weeks banning TikTok from government-issued devices and many have already implemented a ban, with others considering similar measures. There is also bi-partisan support of a ban in the Senate, which unanimously approved a bill last week that would ban the app from devices issued by federal agencies. There is already a ban prohibiting military personnel from downloading the app on government-issued devices.

The bans are in response to the national security concerns that TikTok poses to U.S. citizens [View related posts].

To date, 19 states have issued some sort of ban on the use of TikTok on government-issued devices, including some Executive Orders banning the use of TikTok statewide on all government-issued devices. Other state officials have implemented a ban within an individual state department, such as the Louisiana Secretary of State’s Office. In 2020, Nebraska was the first state to issue a ban. Other states that have banned TikTok use in some way are: South Dakota, North Dakota, Maryland, South Carolina, Texas, New Hampshire, Utah, Louisiana, West Virginia, Georgia, Oklahoma, Idaho, Iowa, Tennessee, Alabama, Virginia, and Montana.

Indiana’s Attorney General filed suit against TikTok alleging that the app collects and uses individuals’ sensitive and personal information, but deceives consumers into believing that the information is secure. We anticipate that both the federal government and additional state governments will continue to assess the risk and issue bans on its use in the next few weeks.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.
For more Cybersecurity Legal News, click here to visit the National Law Review.

TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.

Arbitration: In Kelly v. McClatchy Co., LLC, 2022 WL 1693339 (E.D. Cal.  May 26, 2022), the District Court denied the defendant’s motion to compel arbitration because the contractual relationship between the parties had terminated before the unwanted calls were made. Plaintiffs had originally signed defendant’s Terms of Service which bound them to an arbitration provision for all legal disputes. Plaintiffs then cancelled their subscriptions which subsequently ended the enforceability of the Terms of Service against them. However, plaintiffs then received unwanted calls from Defendant seeking service renewals which the court deemed were not covered by the arbitration clause, even under a theory of post-expiration enforcement.

ATDS: Following Facebook v. Duguid, 141 S. Ct. 1163 (2021), courts are still struggling to define an “automatic telephone dialing system,” and the Third Circuit weighed in through Panzarella v. Navient Sols., Inc., 2022 WL 2127220 (3d Cir. June 14, 2022).  The district court granted defendant’s motion for summary judgment on the grounds that plaintiffs failed to show that an ATDS was used to call their phones. The Third Circuit upheld the summary judgment ruling but did not decide whether the dialing equipment used constituted an “ATDS” under the TCPA. Rather, its ruling hinged on the fact that defendant’s dialer pulled phone numbers from its internal database, not computer-generated tables. As such, the Third Circuit found that even though the system may very well be an unlawful ATDS system under the TCPA, if it is not used in that way, defendants could not be held liable.

In an interesting move, the court in Jiminez v. Credit One Bank, N.A., Nco Fin. Sys., 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022), narrowed the definition of an “ATDS,” choosing to reject the Second Circuit approach in favor of the Third Circuit’s approach in Panzarella. Here, plaintiff alleged that defendant used a dialing system to send numerous calls without consent. The Second Circuit follows the majority view that, if a system used to dial numbers has the ability to store or generate random numbers, the call made violates the TCPA, even if the random dialing function is not actually utilized. But the court in Jiminez found the Third Circuit’s reasoning persuasive and applied it to the case, finding that plaintiff failed to show the dialing system was actually used in a way that violated the TCPA. It granted summary judgment to defendants on the TCPA claims because the evidence showed the numbers used were all taken from a pre-approved customer list, not generated from random dialing.

Similarly, in Borden v. Efinancial, LLC, 2022 WL 16955661 (9th Cir. Nov. 16, 2022), the Ninth Circuit also adopted a narrower definition of an ATDS, finding that to qualify as an ATDS, a dialing system must use its automation function generate and dial random or sequential telephone numbers. This means that a mere ability to generate random or sequential numbers is irrelevant, the generated numbers must actually be telephone numbers. Given the circuit split on this issue, it seems likely that the Supreme Court will eventually have to weigh in.

Notably, in May 2022, the FCC issued a new order which will target unlawful robocalls originating outside the country. The order creates a new classification of service providers called “Gateway Providers” which have traditionally served a transmitters of international robocalls. These providers are domestic intermediaries which are now required to register with the FCC’s Robocall Mitigation database, file a mitigation plan with the agency, and certify compliance with the practices therein.

Class Certification: In Drazen v. Pinto, 41 F. 4th 1354 (11th Cir. July 27, 2022), the Eleventh Circuit considered the issue of standing in a TCPA class action. Plaintiffs’ proposed settlement class included unnamed plaintiffs who had only received one unsolicited text message. Because the court held in an earlier case (Salcedo v. Hanna, 936 F.3d 1162 (11th Cir. 2019)) that just one unwanted message is not sufficient to satisfy Article III standing, it found that some of the class members did not have adequate standing. The district court approved the class with these members in it, finding that those members could remain because they had standing in their respective Circuit and only named plaintiffs needed to have standing. The Eleventh Circuit held otherwise and vacated the class certification and settlement in the case. It remanded, allowing for redefinition of the class giving all members standing.

Consent: Chennette v. Porch, 2022 WL 6884084 (9th Cir. Oct. 12, 2022), involved a defendant who used cell phone numbers posted on publicly available websites, like Yelp and Facebook, to solicit client leads to contractors through unwanted text messages. The court rejected defendant’s argument that plaintiffs consented to the calls because their businesses were advertised through these public posts with the intent of obtaining new business. Beyond that, the court also found that even though these cell phones were used for both personal and business purposes, the numbers still fell within the protection of the TCPA, allowing plaintiffs to satisfy both statutory and Article III standing.

Damages: In Wakefield v. ViSalus, 2022 WL 11530386 (9th Cir. Oct. 20, 2022), the Ninth Circuit adopted a new test to determine the constitutionality of an exceptionally large damages award. Defendant was a marketing company that made unwanted calls to former customers, soliciting them to renew their subscriptions to weigh-loss products. After a multi-day trial, a jury returned a verdict for the plaintiff with a statutory damages award of almost $1 billion. The Ninth Circuit reversed and remanded to the district court to consider the constitutionality of the award. While the district court’s test asked whether the award was “so severe and oppressive” as to violate defendant’s due process rights, the Ninth Circuit instructed it to reassess using a test outlined in a different case, Six Mexican Workers. The Six Mexican Workers test assesses the following factors in determining the constitutionality of the damages award: “1) the amount of award to each plaintiff, 2) the total award, 3) the nature and persistence of the violations, 4) the extent of the defendant’s culpability, 5) damage awards in similar cases, 6) the substantive or technical nature of the violations, and 7) the circumstances of each .” We are still awaiting that determination on remand.

Standing: In Hall v. Smosh Dot Com, Inc., 2022 WL 2704571 (E.D. Cal July 12, 2022), the court addressed whether plaintiff had standing under the TCPA as a cell phone plan subscriber where the text messages were only received by someone else on the plan; in this case, plaintiff was the subscriber and her minor son was the recipient of the unwanted text messages. The court granted defendant’s motion to dismiss for lack of standing because she could not show that status of a subscriber alone could convey adequate standing under Article III.

In Rombough v. State Farm, No. 22-CV-15-CJW-MAR, (N.D. Iowa June 9, 2022), the court evaluated standing under the TCPA based on a plaintiff’s number being listed on the Do Not Call list. It determined that being on the DNC was not an easy ticket into court, plaintiff needed to allege more than just having its number on the list. Rather, the plaintiff need have actually registered their own numbers on the list.

© 2022 Vedder Price
For more Cybersecurity and Privacy Law news, click here to visit the National Law Review.

Ankura CTIX FLASH Update – December 13, 2022

Malware Activity

Uber Discloses New Data Breach Related to Third-Party Vendor

Uber has disclosed a new data breach that is related to the security breach of Teqtivity, a third-party vendor that Uber uses for asset management and tracking services. A threat actor named “UberLeaks” began leaking allegedly stolen data from Uber and Uber Eats on December 10, 2022, on a hacking forum. The exposed data includes Windows domain login names and email addresses, corporate reports, IT asset management information, data destruction reports, multiple archives of apparent source code associated with mobile device management (MDM) platforms, and more. One document in particular contained over 77,000 Uber employee email addresses and Windows Active Directory information. UberLeaks posted the alleged stolen information in four (4) separate postings regarding Uber MDM, Uber Eats MDM, Teqtivity MDM, and TripActions MDM platforms. The actor included one (1) member of the Lapsus$ threat group in each post, but Uber confirmed that Lapsus$ is not related to this December breach despite being previously linked to the company’s cyberattack in September 2022. Uber confirmed that this breach is not related to the security incident that took place in September and that the code identified is not owned by Uber. Teqtivity published a data breach notification on December 12, 2022, that stated the company is aware of “customer data that was compromised due to unauthorized access to our systems by a malicious third party” and that the third-party obtained access to its AWS backup server that housed company code and data files. Teqtivity also noted that its ongoing investigation identified the following exposed information: first name, last name, work email address, work location details, device serial number, device make, device model, and technical specs. The company confirmed that home address, banking information, and government identification numbers are not collected or retained. Uber and Teqtivity are both in the midst of ongoing investigations into this data breach. CTIX analysts will provide updates on the matter once available.

Threat Actor Activity

PLAY Ransomware Claims Responsibility for Antwerp Cyberattack

After last week’s ransomware attack on the city of Antwerp, a threat organization has claimed responsibility and has begun making demands. The threat group, tracked as PLAY ransomware, is an up-and-coming ransomware operation that has been posting leaked information since November 2022, according to an available posting on their leak site. Samples of the threat group’s ransomware variants have shown activity dating back to June 2022, which is around the time PLAY ransomware targeted the Argentina Court of Cordoba (August). While PLAY’s ransomware attack crippled several sectors of Antwerp, it appears to have had a significant impact on residential facilities throughout the city, as stated by officials. According to PLAY NEWS, PLAY’s ransomware leak site, the publication date for the exfiltrated data is Monday, December 19, 2022, if the undisclosed ransom is not paid. PLAY threat actors claim to have 557 gigabytes (GB) worth of Antwerp-related data including but not limited to personal identifiable information, passports, identification cards, and financial documents. CTIX continues to monitor the developing situation and will provide additional updates as more information is released.

Vulnerabilities

Fortinet Patches Critical RCE Vulnerability in FortiOS SSL-VPN Products

After observing active exploitation attempts in-the-wild, the network security solutions manufacturer Fortinet has patched a critical vulnerability affecting their FortiOS SSL-VPN products. The flaw, tracked as CVE-2022-42475, was given a CVSS score of 9.3/10 and is a heap-based buffer overflow, which could allow unauthenticated attackers to perform arbitrary remote code execution (RCE) if successfully exploited. Specifically, the vulnerability exists within the FortiOS sslvpnd product, which enables individual users to safely access an organization’s network, client-server applications, and internal network utilities and directories without the need for specialized software. The vulnerability was first discovered by researchers from the French cybersecurity firm Olympe Cyberdefense who warned users to monitor their logs for suspicious activity until a patch was released. Although very few technical details about the exploitation have been divulged, Fortinet did share lists of suspicious artifacts and IPs. Based on research by Ankura CTIX analysts, the IPs released by Fortinet are located around the globe and are not associated with known threat actors at this time. To prevent exploitation, all Fortinet administrators leveraging FortiOS sslvpnd should ensure that they download and install the latest patch. If organizations cannot immediately patch their systems due to the business interruption it would cause, Olympe Cyberdefense suggests “customers monitor logs, disable the VPN-SSL functionality, and create access rules to limit connections from specific IP addresses.” A list of the affected products and their solutions, as well as the indicators of compromise can be found in the Fortinet advisory linked below.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. 

Article By Ankura Cyber Threat Investigations and Expert Services

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

How Many Websites Now Have Cookie Banners?

A “cookie banner” refers to a pop-up notice on a website that discusses the site’s use of cookies. There is little standardization concerning how cookie banners are deployed. For example, websites can position them in different places on the screen (e.g., across the top of the screen, across the bottom of the screen, in a corner of the screen, or centered on the screen). Cookie banners also utilize different language to describe what cookies are and use different terms to describe options consumers may have in relation to the deployment of cookies. Some cookie banners require that a consumer interact with the banner (e.g., accept, cancel, or click out of) before the consumer can visit a website; other cookie banners are designed to disappear from view after several seconds.

As of October 2022, 45% of Fortune 500 websites were utilizing a cookie banner.[1] That represents an 11-point increase since 2021.[2]

[1] Greenberg Traurig LLP reviewed the publicly available privacy notices and practices of 555 companies (the Survey Population). The Survey Population comprises companies that had been ranked within the Fortune 500 at some point in the past five years as well as additional companies selected from industries that are underrepresented in the Fortune 500. While the Survey Population does not fully match the current Fortune 500 as a result of industry consolidation and shifts in company capitalization, we believe that the aggregate statistics rendered from the Survey Population are representative of mature companies. Greenberg Traurig’s latest survey was conducted between September and October 2022.

[2] Greenberg Traurig LLP conducted a survey in December 2020 which showed that 34.2% of websites had cookie banners.

Article By David A. Zetoony of Greenberg Traurig, LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Privacy Rights in a Remote Work World: Can My Employer Monitor My Activity?

The rise in remote work has brought with it a rise in employee monitoring.  Between 2019 and 2021, the percentage of employees working primarily from home tripled.  As “productivity paranoia” crept in, employers steadily adopted employee surveillance technologies.  This has raised questions about the legal and ethical implications of enhanced monitoring, in some cases prompting proposed legislation or the expanded use of laws already on the books.

Employee monitoring is nothing new.  Employers have long used supervisors and timeclock programs, among other systems, to monitor employee activity.  What is new, however, is the proliferation of sophisticated monitoring technologies—as well as the expanding number and variety of companies that are employing them.

 While surveillance was once largely confined to lower-wage industries, white-collar employers are increasingly using surveillance technologies to track their employees’ activity and productivity.  Since the COVID-19 pandemic started in March 2020, one in three medium-to-large companies has adopted some form of employee monitoring, with the total fraction of employers using surveillance technologies closer to two in three.  Workers who are now subject to monitoring technologies include doctors, lawyers, academics, and even hospice chaplains.  Employee monitoring technologies can track a range of information, including:

  • Internet use (e.g., which websites and apps an employee has visited and for how long);

  • How long a computer sits idle;

  • How many keystrokes an employee types per hour;

  • Emails that are sent or received from a work or personal email address (if the employee is logged into a personal account on a work computer);

  • Screenshots of a computer’s display; and

  • Webcam photos of the employee throughout the day.

These new technologies, coupled with the shift to remote work, have blurred the line between the professional and the personal, the public and the private.  In the face of increased monitoring, this blog explores federal and state privacy regulations and protections for employees.

What are the legal limitations on employee monitoring?

 There are two primary sources of restrictions on employee monitoring: (1) the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2510 et seq.; and (2) common-law protections against invasions of privacy.  The ECPA is the only federal law that regulates the monitoring of electronic communications in the workplace.  It extends the Federal Wiretap Act’s prohibition on the unauthorized interception of communications, which was initially limited to oral and wire communications, to cover electronic communications like email.  As relevant here, the ECPA contains two major exceptions.  The first exception, known as the business purpose exception, allows employers to monitor employee communications if they can show that there is a legitimate business purpose for doing so.  The second exception, known as the consent exception, permits employers to monitor employee communications so long as they have consent to do so.  Notably, this exception is not limited to business communications, allowing employers to monitor employees’ personal communications if they have the requisite consent.  Together, the business purpose and consent exceptions significantly limit the force of the ECPA, such that, standing alone, it permits most forms of employee monitoring.

In addition to the ECPA’s limited protections from surveillance, however, some states have adopted additional protections of employee privacy.  Several state constitutions, including those of California, South Carolina, Florida, and Louisiana, guarantee citizens a right to privacy.  While these provisions do not directly regulate employers’ activity, they may bolster employees’ claims to an expectation of privacy.  Other states have enacted legislation that limits an employer’s ability to monitor employees’ social media accounts.  Virginia, for example, prohibits employers from requiring employees to disclose their social media usernames or passwords.  And a few states have enacted laws to bolster employees’ access to their data.  For example, the California Privacy Rights Act (CPRA), which comes into full effect on January 1, 2023, and replaces the California Consumer Privacy Act (CCPA), will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected through employee monitoring programs.  Employees will also have the right to know where, when, and how employers are using their data.  The CPRA’s protections are limited, however.  Employers will still be able to use surveillance technologies, and to make employment decisions based on the data these technologies gather.

Finally, several states require employers to provide notice to employees before monitoring or intercepting electronic communications.  New York recently adopted a law,  Senate Bill (SB) S2628, that requires all private-sector employers to provide notice of any electronic monitoring to employees (1) upon hiring, via written or electronic employee acknowledgment; and (2) in general, in a “conspicuous place” in the workplace viewable to all employees.  The new law is aimed at the forms of monitoring that have proliferated since the shift to remote work, and covers surveillance technologies that target the activities or communications of individual employees.  Delaware and Connecticut also have privacy laws that predate SB S2628.  Delaware requires notice to employees upon hire that they will be monitored, but does not require notice within the workplace.  Meanwhile, Connecticut requires notice of monitoring to be conspicuously displayed in the workplace but does not require written notice to employees upon hire.  Accordingly, in many states, employee privacy protections exceed the minimum standard of the ECPA, though they still are not robust.

How does employee monitoring intersect with other legal rights?

Other legal protections further limit employee monitoring.

First, in at least some jurisdictions, employees who access personal emails on their work computer, or conduct other business that would be protected under attorney-client privilege, maintain their right to privacy for those communications.  In Stengart v. Loving Care Agency, Inc., 408 N.J. Super. 54 (App. Div. 2009), the Superior Court of New Jersey, Appellate Division, considered a case in which an employee had accessed her personal email account on her employer’s computer and exchanged emails from that account with her attorney regarding a possible employment case against her employer.  The employer, who had installed an employee monitoring program, was able to access and read the employee’s emails.  The Court held that the employee still had a reasonable expectation of privacy and that sending and receiving emails on a company-issued laptop did not waive the attorney-client privilege.  The Court thus required the employer to turn over all emails between the employee and her attorney that were in its possession and directed the employer to delete all of these emails from its hard drives.  Moving forward, the Court instructed that, while “an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest,” such a business interest held “little force . . . when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.”  Stengart, 408 N.J. Super. at 74.

Second, employee monitoring can run afoul of protections related to union and other concerted activity.  The General Counsel for the National Labor Relations Board (NLRB) recently announced a plan to curtail workplace surveillance technologies.  Existing law prohibits employers from using surveillance technologies to monitor or record union activity, such as by recording employees engaged in picketing, or otherwise interfering with employees’ rights to engage in concerted activity.  The General Counsel’s plan outlines a new, formal framework for analyzing whether employee monitoring interferes with union or concerted activity.  Under this framework, an employer presumptively violates Section 7 or Section 8 of the National Labor Relations Act (NLRA) where their “surveillance and management practices, viewed as a whole, would tend to interfere with or prevent a reasonable employee from engaging in” protected activities.  Examples of technologies that are presumptively violative include key loggers, webcam photos, and audio recordings.

Do I have a claim against my employer?

While federal and state restrictions on employee monitoring are limited, you may have a legal claim against your employer if its monitoring is overly intrusive or it mishandles your personal data.  First, an invasion-of-privacy claim, for the tort of intrusion upon seclusion, could exist if your employer monitors your activity in a way that would be highly offensive to a reasonable person, such as by accessing your work laptop’s webcam or internal microphone and listening in on private affairs in your home.  Second, you may have a claim against your employer for violating its legal duty to protect your personal information if data it collects in the course of monitoring your work activity is compromised.  In Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018), employees at the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) filed a class-action complaint alleging that UPMC breached its legal duty of reasonable care when it failed to protect employees’ data, which was stolen from UPMC computers.  The Pennsylvania Supreme Court found for the plaintiffs, holding that employers have an affirmative duty to protect the personal information of their employees.  Because the Pennsylvania Supreme Court’s holding was grounded in tort principles that are recognized by many states (i.e., duty of care and negligence), it may pave a path for future cases in other jurisdictions.  Third, if any medical information is accessed and improperly used by your employer, you may have a claim under the Americans with Disabilities Act, which requires that employers keep all employee medical information confidential and separate from all other personnel information.  See 42 U.S.C. § 12112(d)(3)(B)-(C), (4)(B)-(C).

Conclusion

Employees are monitored more consistently and in more ways than ever before. By and large, employee monitoring is legal.  Employers can monitor your keystrokes, emails, and internet activity, among other metrics.  While federal regulation of employee monitoring is limited, some states offer additional protections of employee privacy.  Most notably, employers are increasingly required to inform employees that their activity will be monitored.  Moreover, other legal rights, such as the right to engage in concerted activity and to have your medical information kept confidential, provide checks on employee surveillance.  As employee monitoring becomes more commonplace, restrictions on surveillance technologies and avenues for legal recourse may also grow.

Article By Bonnie Henry of Katz Banks Kumin LLP

For more labor and employment legal news, click here to visit the National Law Review.

Katz Banks Kumin LLP Copyright ©

New York Enacts Crypto Mining Moratorium

On November 22, 2022, New York Governor Kathy Hochul signed into law a two-year moratorium against granting permits to crypto mining operations that “are operated through electric generating facilities that use a carbon-based fuel.” Renewable sources of energy are not impacted.

The legislation, among the first of its kind in the nation, prohibits the state’s Department of Environmental Conservation from issuing any new or renewal permits to electricity generating facilities reliant on carbon-based fuel supporting crypto mining operations that use proof-of-work authentication methods to validate blockchain transactions. The law applies to all permits and renewal applications filed after its effective date, and therefore grandfathers certain businesses that held permits prior to the date of enactment. The Department of Environmental Conservation and the Department of Public Service are also tasked under the legislation with preparing an environmental impact statement on cryptocurrency mining operations that use proof-of-work authentication techniques.

For more Environmental Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.