Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

The Top 10 Do’s and Don’ts of Selling a Cell Lease

When you sell a cell lease, in addition to assigning the lease and rents to the purchaser, you also sell the purchaser the right to put communications antennas on your property for 50 years or more. Done properly, this can be very advantageous, but if done improperly, the right, coupled with its lengthy term, can be harmful, especially for valuable properties.

While the intricacies of such sales should be left to professionals (the sale documents are often 15-20 pages long to protect the property owner), here is a short list of items unique to cell lease sales which property owners should keep in mind. This list is based on years of experience helping clients sell over 100 leases.

  1. Sell the cell lease first if you will be selling the property with the lease. Recently, leases have sold for around 20 times annual revenues. Done properly, a lease sale will add dollar for dollar to the sales price of the property it’s on.
  2. Don’t use the documents from the purchaser without extensively revising them (we often toss them out and use our own documents). They are usually so overreaching that using them “as is” can reduce or destroy the value of the property with the lease.
  3. Include provisions protecting the future use, development and value of the property with the lease.
  4. Have a relocation provision so you can require the leased area to be moved to another location on the property if needed for the maintenance, repair or redevelopment of the property.

The following items are particularly important for areas where the leased space is on a building rather than for a tower on open land. Buildings are generally much more valuable than open land (so the potential harm from bad terms is greater), there often are two or more parcels being leased (equipment on the ground, antennas on the roof, cables in between) and property owners need to be specific on the rights being sold and retained.

  • Clearly describe, with engineering drawings if needed, the areas of the building the purchaser can use.
  • Spell out the types of communications uses the purchaser can conduct and the equipment it may place in these areas.
  • Also spell out the rights the building owner and tenants retain to use these same areas (as well as other parts of the building) for their antennas, HVAC, elevators, etc.
  • Describe the types of communications uses and radios that the building owner, residents and tenants have retained and do not violate the sale.
  • Attach engineering drawings showing the equipment currently on the building.
  • Require landlord approval of changes to the preceding and the reasons the approval can be withheld.
© 2022 Varnum LLP

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

‘Work From the Ballpark’—Is the Latest Remote Work Promotion a Foul Ball?

Some professional baseball teams are beginning to promote “Work From the Ballpark” days, encouraging fans to bring their laptops to a weekday afternoon game and work remotely from their seats. Under such promotions, fans can purchase tickets for a special section of the ballpark with access to WiFi, tables, and food so that they could stay logged on at work while enjoying the sights and sounds of the game. Employers are likely accustomed to dealing with employees who play hooky to attend an afternoon baseball game. But with the rise of remote work—and promotions such as these—should employers be concerned with employees logging into work from the ballpark?

While such a promotion might be cheeky marketing to increase attendance for midweek games, it highlights an ongoing concern for employers with remote employees—that instead of diligently working in home offices, employees are working, or attempting to appear to be working, while distracted or in a potentially problematic environment. Indeed, working from a sports stadium could put confidential work communications and information at risk with laptop screens in easy view of onlookers and lead to network security issues with public WiFi.

Employers may want to dust off their remote work policies and evaluate whether they provide clarity around appropriate locations to perform work.

What Can Employers Do About Nontraditional Remote Work Environments?

  1. Clear Remote Work Policies

Employers may want to review their policies to ensure there are clear provisions or guidelines governing what locations are appropriate for working remotely. As an additional element of security and visibility, employers may further want to require that employees performing certain kinds of sensitive work obtain consent to work from a secure location other than home when necessary.

  1. Employee Work Locations

In certain workplaces, employers may want to consider how they monitor employees and their productivity. Many technology tools enable employers to track employees’ online activities or the physical locations of company devices. Of course, employers may want to evaluate employee relations considerations tied to any monitoring program as well as the increasing and myriad state and local laws addressing employer monitoring programs.

  1. Network and Information Security Software

Employers mandating that employees perform any work on employer-provided hardware (e.g., employer-provided laptops) may want to ensure those devices have network and information security and location monitoring software installed and that the technology is up-to-date and sufficient for employees to perform their jobs. Employers that do allow employees to use their own devices (BYOD) may want to require the installation of similar remote work software on those devices. Employers may also want to consider providing employees with internet hotspots for times when employers know employees will be working in public locations to avoid having employees working from shared or open networks. At the same time, employers may want to beware of the risk that such hardware will be lost or stolen.

  1. Security Measures

In addition to hardware requirements, employers may want to consider implementing policies that require employees to take basic security measures on their own while working from a public location. Employers may consider requiring employees to take work phone calls in secure places, require the use of privacy screens over laptop monitors, warn against leaving laptops and other hardware unattended, and mandate other actions to address basic privacy and proprietary information concerns.

  1. Compensation for Time

If an employer does become aware that an employee has performed work at the ballpark or in another location where distractions may have been present, the employer may question whether it must pay the employee for the time the employee logged that day. There are a myriad of federal and state wage-and-hour laws that employers can consult (as well as a review of the employer’s policies) that will answer this question. Usually, however, if employees report that they performed work, the employer may decide to compensate them for their time and evaluate whether there is a separate counseling or disciplinary issue that relates to policy or rule violations to consider.

Key Takeaways

Employees working from home or remotely, at least part of the time, appears to be the future for many workplaces across the United States as technology has made it easier for employees to stay connected with work and complete work tasks. The “Work From the Ballpark” promotion may serve as a reminder for employers that they may want to consider ways to ensure employees are working from appropriate locations to maintain productivity and information security with a remote workforce.

For more Employment Law news, click here to visit the National Law Review.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Former Uber Security Chief Found Guilty in Criminal Trial for Failure to Disclose Breach to FTC

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

The government alleged that in 2016, in the midst of an ongoing FTC investigation into Uber for a 2014 data breach, Sullivan learned of a new breach that affected the personal information of more than 57 million Uber customers and drivers. The hackers allegedly demanded a ransom of at least $100,000 from Uber. Instead of reporting the new breach to the FTC, Sullivan and his team allegedly paid the ransom and had the hackers sign a nondisclosure agreement. Sullivan also allegedly did not report the breach to Uber’s General Counsel.  Uber did not publicly disclose the incident or inform the FTC of the incident until 2017, when Uber’s new chief executive, Dara Khosrowshahi, joined the company.

This case is significant because it represents the first time a company executive has faced criminal prosecution related to the handling of a data breach.

For more Privacy Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Twelve Tips for Effective In-Person Networking in the Post-Pandemic World

I recently got on my first flight since the pandemic. I had been avoiding travel and conferences for many reasons, but it’s time to stop hiding at home and behind my computer screen.

Over the next few weeks I am speaking at several lawyer retreats and industry conferences – I’m excited but nervous.

I feel like a fish out of water (I accidentally let my TSA pre-check expire as well as my passport during Covid). It’s also the first time I’m leaving my pandemic puppies (I think it’s more traumatic for me than them).

I’m looking forward to seeing familiar faces and meeting new ones, and getting to know my clients in a setting other than Zoom because human connections are important and powerful.

In-person networking is essential – it is the secret sauce to building long-term and meaningful relationships. Those relationships can lead to opportunities of all kinds.

Even as an extroverted extrovert, I’m a bit rusty on networking.

I have been doing countless presentations to a computer screen since March 2020 and so being able to see and interact with real people is a much welcome change. A return to “normalcy.”

But after years of being an “expert” network, I’m not actually sure what to do when I actually see people again in a profesional group setting.

Do I hug? (I’m Italian, we like to hug) Shake hands? Fist bump? Just smile and nod? So glad we aren’t bathing in hand sanitizer anymore or cloroxing everything with which we come in touch.

Many of us are in the same position after the past few years, and we don’t feel like the same person we used to be. But that’s okay. Let’s collectively give ourselves a break (and some grace). We are all in the same boat – together.

Here are 12 tips for effective in-person networking I plan to use:

  1. Ask people about themselves more then I talk about myself.
  2. Practice active listening.
  3. Say their names a few times when talking to them – it helps me remember them and makes people like you more.
  4. Write notes after each meaningful conversation.
  5. Exit conversations gracefully.
  6. Follow up and connect on LinkedIn with new and renewed contacts.
  7. Put my LinkedIn QR code on my iPhone home screen to facilitate easy networking. Here’s how.
  8. Add new contacts to my CRM.
  9. Immerse myself in the programming. I am not going to check my email every second or do unnecessary work.
  10. Write a key takeaways blog and LinkedIn post from the sessions I enjoyed and tag the speakers.
  11. Create an email OOO message that supports my brand and business (see example from Paula Edgar).
  12. Have an intimate dinner with my clients/colleagues to get to know them better.

Do you have any tips for in-person networking in the post-pandemic environment?

Copyright © 2022, Stefanie M. Marrone. All Rights Reserved.

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Metaverse Casinos: A Regulatory Wild West

A New World of Gaming

The metaverse is an immersive online universe on the blockchain where users interact with a multitude of digital worlds and with each other. As in the real world, the metaverse offers a wide variety of activities and entertainment options. The metaverse has become a haven for gaming. Users can explore casino “districts,” offering slots, poker, roulette, blackjack and more, go to shows and nightclubs, and even purchase real estate, including an entire casino. Some platforms within the metaverse are more developed than others, with their own parcels of land, decentralized governmental structures and native tokens. As this space continues to expand into various aspects of daily life, participants in the metaverse ecosystem, and in particular, gaming operators, should proceed with caution as the line between fantasy and reality continues to blur.

The metaverse provides an alternative virtual reality for those who visit, seemingly outside of the legal and regulatory structure of the real world. Now, due to the development of digital assets1 including cryptocurrencies and non-fungible tokens (“NFTs”), visitors can add real-world economic value to some in-game activities. Players can buy, sell, or gamble items in the metaverse for digital assets that can convert to fiat currency, further blurring the lines between a virtual game experience and reality. What seems to some like a game will increasingly have real-world economic consequences for users, and the businesses with which they engage in the metaverse, resulting in more regulatory scrutiny and legal disputes.

Metaverse Gaming vs. Traditional Online Gaming

It is helpful to distinguish metaverse gaming from traditional online gaming. Gaming in the metaverse and online gaming both allow users to play casino games with their friends and social network virtually without the burdens and restrictions of physical travel. Unlike traditional online casinos, the metaverse attempts to replicate the full casino experience, allowing users to explore a digital representation of a casino using a unique avatar and virtual reality technology. Through advancements in technology, users can control their avatar’s behavior in a similar manner to controlling their own conduct in the real world. Essentially, avatars are digital representation of users – they physically walk around and engage with other avatars, including making observations of other avatars’ tells and contributing to an authentic casino experience, all from the comfort of home.

Metaverse casinos generally do not accept traditional fiat currency. A metaverse casino requires a participant to convert their fiat into one of the crypto currencies accepted in the metaverse and deposit funds using a crypto wallet. Users exchange the NFTs and cryptocurrency that they win in the metaverse for fiat currency in the real world, however.

The use of crypto in metaverse gaming has some clear benefits. In addition to providing an immersive interaction compared to fiat-based online gambling platforms, metaverse casinos offer higher levels of security, transparency, and privacy for users. For example, the history of the entire transaction history is accessible on a blockchain. Although the transaction is visible on a blockchain, users may remain anonymous without having to disclose certain personal information, thereby protecting privacy. Deposits and withdrawals are processed virtually instantaneously because there is no third party verifying the transaction.

Regulatory Considerations for Metaverse Gaming

Casino and sports gaming is one of the most heavily regulated industries in the United States. The regulation is primarily at the state level. Some mistakenly believe the metaverse is insulated from real life legal restrictions. To the contrary, any gaming and wagering activity, which constitutes a game of chance involving the risk of something of value and a prize,2 that is being offered to U.S. citizens in the metaverse (on an unregulated basis) is likely to draw the attention of regulators.

Despite the popularity of metaverse gaming, the top U.S. operators have largely stayed on the sidelines while offshore and smaller companies dominate the space. This is unsurprising for three reasons:

  1. The fact that metaverse gaming lacks a dedicated regulatory framework and online gaming is legal in only a handful of states;

  2. As we wrote previously, the reluctance of regulated gaming companies operating in the U.S. to pursue the legal use of cryptocurrency given its volatility, lack of acceptance, and regulatory and/or legislative hurdles; and

  3. General legal uncertainty.

An operator that wishes to offer a gaming platform to U.S. citizens in the metaverse would need to do so with the express permission and under the oversight of each state’s gaming commission whose residents they serve. This may also require new legislation and regulatory schemes. For example, Wyoming, an early adopter of cryptocurrency, passed legislation in 2021 that allows sportsbooks to accept “digital, crypto and virtual currencies.”3 Generally, however, regulators and legislators are not known for their speed in adopting new and emerging technologies and the industry as a whole is still working toward more immediate and attainable goals, such as expanding legal online gaming. Currently, fewer than 10 states offer online casinos and/or poker.

There is significant regulatory and legal uncertainty surrounding metaverse casinos. For example, which oversight bodies have authority to regulate metaverse casinos? Can users face consequences in the real world for the actions of their avatar in metaverse casinos? How are players protected from unlawful conduct in metaverse casinos? Can operators be held responsible for that misconduct? State gaming regulators would have jurisdiction over gaming activity being offered to their residents in the metaverse alongside other regulators including the SEC, the U.S. Commodity Futures Trading Commission, and the Financial Crimes Enforcement Network, given the use of cryptocurrency and NFTs.4 At this early stage, there are more questions than answers. The history of the real-world gaming industry suggests it is highly probable that metaverse casinos will be subject to direct regulation.

New Legal Parameters Around Metaverse Gaming Are Expected

The competitive nature of the U.S. gaming market, the vast lobbying power of licensed gaming operators, and the substantial fees for licensure indicate that it is not a matter of if, but when regulators will intervene in metaverse gaming. While the concept of metaverse casinos is exciting and creates the opportunity for significant growth in the gaming industry, like many innovations, it brings additional challenges and risks for operators.

In fact, earlier this year securities regulators in Texas and Arizona demanded that a metaverse casino developer cease its funding for the development of its metaverse casino (and expansion of its metaverse casinos to all other relevant metaverses) through NFTs for failing to register the NFTs as securities and on the grounds that it was conducting an illegal fraudulent securities scheme.5

About a month later, securities regulators in Texas, Wisconsin, Kentucky, New Jersey, and Alabama filed an action against another metaverse casino due to its alleged ties to Russia and a fraudulent investment scheme it was running in violation of securities laws.6 The Texas State Securities Board stated its concerns about scammers being able to hide their identities (also referred to as “going dark”), as they alleged occurred here, in metaverse casinos.

In addition, just a few months ago, 28 members of Congress urged the Department of Justice to work with the industry, and other stakeholders to prosecute offshore sports betting companies operating illegally in the U.S.7 Similarly, absent a known regulatory scheme, even “successful” operation of a metaverse casino at present does not foreclose adverse action or shutdowns in the future due to increasing regulatory scrutiny.

While it is unclear how, if, and to what extent, existing regulations apply to metaverse gaming, the actions referenced above demonstrate that some state regulators are taking the position that the same rules that apply to investments in the real world also apply to investments in the metaverse. The risk is not limited to the virtual world, but also exposes investors to the potential loss of real money. The above matters also highlight the broad range of risks government authorities could be motivated to address, from international policy implications to financial fraud scams.

Pioneering the Metaverse

Although there are significant barriers to operating gaming platforms in the metaverse, forward-thinking gaming companies have wisely been preparing to enter this new world when it is safe to do so. If the metaverse becomes as integrated into daily life as it is expected to be, those pioneers will reap the rewards. We recommend gaming operators in the metaverse proceed with caution and retain highly qualified counsel to help them navigate the developing regulatory landscape.

For more internet and cybersecurity legal news, click here to visit the National Law Review

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP


FOOTNOTES

  1. Regulators in the United States including the Securities and Exchange Commission (“SEC”) use the term “digital asset” to refer to “an asset that is issued and transferred using distributed ledger or blockchain technology.” Statement on Digital Asset Securities Issuance and Trading, Division of Corporation Finance, Division of Investment Management, and Division of Trading and Markets, SEC (Nov. 16, 2018), available here. As the SEC has noted, digital assets include, but are not limited to, virtual currencies, coins, and tokens. Id. A digital asset may in certain instances be deemed a security under the federal securities laws. While not defined in the securities laws, the SEC often refers to digital assets that are securities as a “digital asset securities.” Id.

  2. The issue of what is a “thing of value” within the meaning of state anti-gambling law has been the subject of recent litigation. See, e.g., Kater v. Churchill Downs, Inc., 886 F.3d 784 (9th Cir. 2018) (virtual chips in online game held to be a “thing of value” for purposes of Washington’s illegal gambling law); Coffee v. Google, LLC, No. 20-CV-03901-BLF, 2022 WL 94986, at *13 (N.D. Cal. Jan. 10, 2022) (“loot box” prizes limited to use in in-app game not “things of value” under California illegal gambling law).

  3. Pat Evans, Cryptocurrency In Legal Sports Betting: What’s Next?, (June 9, 2022), available here.

  4. We will discuss the potential role of these Federal regulators in future articles.

  5. Dorothy N. Giobbe, et. al, Texas and Alabama Securities Regulators File Enforcement Actions Against Online Casino Developer Selling NFTs to Operate Casinos in a Metaverse, (April 29, 2022), available here.

  6. Five States File Enforcement Actions to Stop Russian Scammers Perpetrating Metaverse Investment Fraud, (May 11, 2022), available here.

  7. Chris Altruda, Congressional Group Calls on DOJ to Help Fight Illegal Offshore Sportsbooks, (Jun. 30, 2022), available here.

 

How to Use Images and Blogs to Boost Your Google My Business Profile

Whether you are wondering if you should create a listing for your business or searching for the most effective ways to boost your local presence, Google My Business is a wise investment of time. Not convinced yet? Consider the following statistics:

  • 97 percent of people learn more about a local company online than through any other source
  • Over 90 percent of the search engine market share belongs to Google
  • According to Google, 46 percent of all searches have local intent
  • 64 percent of consumers have used Google My Business to find contact details for a local business

Listing your law firm on Google is a significant step towards a complete online presence, but it doesn’t stop there. For instance, you should update your Google My Business Profile every month or so. While this profile isn’t a social media profile, it still requires the same amount of cultivation.

The Benefit of Adding Pictures

There are a few more ways you can leverage your profile to your advantage.  One of these ways is to use images to help boost your profile. For example, using photos on your Google Business Profile is beneficial not just for aesthetics but also to provide your law firm with an SEO advantage.

According to Google, businesses that use pictures on their Business Profiles see 42 percent more direction requests on Google Maps and 35 percent more clicks through to their websites than those who don’t use them. In fact, after a 2020 experiment, DigitalMaas came to the same conclusions. There’s no denying that law firms and attorneys who regularly upload photos on their listings will get more clicks and appear more on search results than their competitors who don’t.

When adding pictures, ensure you:

  • Add photos promptly. Without pictures, Google will default to showing street views which can make potential clients doubt if you are still in business.
  • Add photos regularly, including different shots and angles, taken at various times of the day.
  • Use quality photos without over-editing them. You want them to be clear but not filtered.
  • Use categories when adding pictures. Having a minimum of three relevant photos for each category is recommended.
  • Stay relevant to your location—avoid using screenshots, stock photos, GIFs, and other manually created images.

The Benefit of Blogs

Blogs are an essential piece of SEO marketing. If your firm doesn’t already publish one, now is the time. In addition to publishing your blog on your website, make sure you take its URL along with the picture and create a post from your Google My Business Account. Google will recognize your blog under your profile, and you will start to rank higher in SEO. When you add your blog to your Google Business Profile, you essentially double the benefit of having a blog without doubling the work. Linking a blog to your profile shows your authority in the legal realm and that you remain active online.

Don’t Forget Reviews!

Another key piece of optimizing your Google My Business profile is adding reviews. Google knows that reviews are the primary influence on consumer behavior, so they are a crucial ranking factor in the algorithm. However, you can’t add reviews if you don’t have any. Getting more reviews can be simple if you follow these tips:

  • Start with your long-time, loyal clients.
  • Make leaving a review as simple as possible by creating a review shortcut link or using a shortcut link generator.
  • Add a “Reviews” page on your website with a call to action to leave one.
  • Don’t forget to ask for reviews by email, text, social media, and in-person conversations.
  • Let clients know that reviews help others in similar situations to find a solution and make informed decisions.
  • Respond to reviews as this will incentivize clients to leave theirs and improves your local SEO.
© 2022 Denver Legal Marketing LLC