Category: Communication Media & Internet

Multi-Level Marketing Gets Multi-Level Attention

Multi-level marketing has touched us all – whether it be purchasing beauty products, essential oils, or health supplements from a friend through social media, or receiving an invitation to join a team of seemingly successful people working their “side hustle.”  But multi-level marketing is now getting some additional multi-level attention, both in the media and in the court room.

With interest in documentaries on the rise throughout the pandemic, Amazon recently delivered with its four-part docu-series “LuLaRich.”  It follows the multi-level marketing company, LuLaRoe, which is known for its colorfully patterned clothing, messages of empowering women, and nearly $2 billion in purported sales in a single year.  But the docu-series also offers a glimpse at the dividing line between a multi-level marketing platform and a pyramid scheme, with the latter running afoul of the law.

Throughout its short existence, LuLaRoe has been no stranger to litigation.  Several class actions have been filed against it, including one with allegations that LuLaRoe’s leggings ripped as easily as wet toilet paper.  But most notable is a recent class action that was certified just last month by a Federal Court in Alaska. See, e.g., Katie Van et al. v. LLR Inc. dba LuLaRoe et al., No. 3:18-cv-00197, in the United States District Court for the District of Alaska.  The claims in Van allege that LuLaRoe charged sales tax on purchases to customers located in tax-free jurisdictions.  This was, allegedly, the result of a customized point-of-sale system that did not allow sales tax to be assessed based on the location to where the “retailer” (sales person) shipped the merchandise.  LuLaRoe addressed this by creating a “toggle switch” that allowed retailers to “turn off” the automatic tax charges and charge a different amount, including 0%.  However, some retailers used the toggle switch to override the collection of sales taxes on taxable transactions while others did not use the toggle switch to override sales taxes on transactions that were not taxable.  When LuLaRoe became aware of this, it allegedly disabled the toggle switch and asked retailers to leave the system’s sales tax box “checked,” while LuLaRoe developed a system that would compute and collect sales tax based on the address where the product was purchased and received.  The outcome: consumers in jurisdictions without sales tax (or no sales tax on clothing) were improperly billed for sales tax on their purchases, based on the taxes imposed by the retailer’s location, rather than the consumer’s location.  The certified class claim alleges LuLaRoe engaged in an unfair trade practice with the imposition of this non-existent sales tax.  And, while attempts at similar class actions against LuLaRoe have been made in the past, this class, with more than 10,000 potential class members, has now been certified.

With so many sales happening through social media controlled by individual retailers, multi-level marketing entities must address unique challenges, including the calculation and imposition of sales tax, especially when customers are located in different states (or even different countries) than their sales person, as was the case in Van.  Having the requisite resources – whether that be through staffing or usable technology and software – can be challenging when trying to keep up with the quick growth that often comes with multi-level marketing.  Additionally, a multi-level marketing entity’s approach to organizational structure, recruiting, compensation, and manufacturing warrants detailed attention and familiarity with state and federal law.

LuLaRoe’s story, while colorful and seemingly worthy of a hit docu-series, highlights the need to carefully navigate legal issues when operating or becoming involved with a multi-level marketing entity.  The potential for legal snags may be hidden in the seams.  And it’s never worth becoming too big for your (brightly patterned) britches when it comes to the law.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.
For more class actions, visit the NLR Litigation section.

A Flurry of CFTC Actions Shock the Cryptocurrency Industry

The Commodity Futures Trading Commission (CFTC) sent shockwaves across the cryptocurrency industry when it issued a $1.25 million settlement order with Kraken, one of the industry’s largest market participants. The next day, the CFTC announced that it had charged each of 14 entities for offering cryptocurrency derivatives and margin trading without registering as a futures commission merchant (FCM). While the CFTC has issued regulatory guidance in the past and engaged in some regulatory enforcement activities, it has now established itself as a key regulator of the industry along with the US Securities and Exchange Commission (SEC), the US Department of Justice (DOJ) and the US Department of the Treasury (Treasury). Market participants should be aware that the CFTC will continue to take a more active role in regulation and enforcement of commodities and derivatives transactions moving forward.

The CFTC alleged that each of the defendants were acting as an unregistered FCM. Under Section 1a(28)(a) of the Commodity Exchange Act (the Act), 7 U.S.C. § 1(a)(28)(A), an FCM is any “individual, association, partnership, or trust that is engaged in soliciting or accepting orders for the purchase or sale of a commodity for future delivery; a security futures product; a swap . . . any commodity option authorized under section 6c of this title; or any leverage transaction authorized under section 23 of this title.” In order to be considered an FCM, that entity must also “accept[] money, securities, or property (or extends credit in lieu thereof) to margin, guarantee, or secure any trades or contracts that result or may result therefrom.” (See: 7 U.S.C. § 1(a)(28)(A)(II).) 7 U.S.C. § 6d(1), requires FCMs to be registered with the CFTC.

IN DEPTH

THE KRAKEN SETTLEMENT

On September 28, 2021, the CFTC issued an order, filing and settling charges against respondent Payward Ventures, Inc. d/b/a Kraken for offering margined retail commodity transactions in cryptocurrency—including Bitcoin—and failing to register as an FCM. Kraken is required to pay a $1.25 million civil monetary penalty and to cease and desist from further violations of the Act. The CFTC stated that, “This action is part of the CFTC’s broader effort to protect U.S. customers.”

The CFTC’s order finds that from approximately June 2020 to July 2021, Kraken violated Section 4(a) of the Act, 7 U.S.C. § 6(a)(2018) by offering to enter into, entering into, executing and/or confirming the execution of off-exchange retail commodity transactions with US customers who were not eligible contract participants or eligible commercial entities. The CFTC also found that Kraken operated as an unregistered FCM in violation of Section 4d(a)(1) of the Act, 7 U.S.C. § 6d(a)(1) (2018). According to the order, Kraken served as the sole margin provider and maintained physical and/or constructive custody of all assets purchased using margins for the duration of a customer’s open margined position.

Margined transactions worked as follows: The customer opened an individual account at Kraken and deposited cryptocurrency or fiat currency into the account. The customer then initiated a trade by selecting (1) the trading pair they wished to trade, (2) a purchase or sale transaction and (3) a margin option. All trades were placed on Kraken’s central limit order book and executed individually for each customer. If a customer purchased an asset using margin, Kraken supplied the cryptocurrency or national currency to pay the seller for the asset. If a customer sold an asset using margin, Kraken supplied the cryptocurrency or national currency due to the buyer. Trading on margin allowed the customer to establish a position but also created an obligation for the customer to repay Kraken at the time the margined position was closed. The customer’s position remained open until they submitted a closing trade, they repaid the margin or Kraken initiated a forced liquidation based on the occurrence of certain triggering events, including limitations on the duration of an open margin position and pre-set margin thresholds. Kraken required customers to exit their positions and repay the assets received to trade on margin within 28 days, however, customers could not transfer assets away from Kraken until satisfying their repayment obligation. If repayment was not made within 28 days, Kraken could unilaterally force the margin position to be liquidated or could also initiate a forced liquidation if the value of the collateral dipped below a certain threshold percentage of the total outstanding margin. As a result, actual delivery of the purchased assets failed to occur.

The CFTC asserted that these transactions were unlawful because they were required to take place on a designated contract market. Additionally, by soliciting and accepting orders for, and entering into, retail commodity transactions with customers and accepting money or property (or extending credit in lieu thereof) to margin these transactions, Kraken was operating as an unregistered FCM.

Coinciding with the release of the enforcement action against Kraken, CFTC Commissioner Dawn D. Sump issued a “concurring statement.” In it, she appeared to be calling upon the CFTC to adopt more specific rules governing the products that are the subject of the enforcement action. Commissioner Sump seemed to indicate that it would be helpful to cryptocurrency market participants if the CFTC clarified its position on the applicability of the Act, as well as registration requirements. The CFTC will likely issue guidance or rules to clarify its position on which cryptocurrency-related products trigger registration requirements.

CFTC CHARGES 14 CRYPTOCURRENCY ENTITIES

On September 29, 2021, the CFTC issued a press release and 14 complaints against cryptocurrency trading platforms. The CFTC is seeking a sanction “directing [the cryptocurrency platforms] to cease and desist from violating the provisions of the Act set forth herein.” Each of the platforms have 20 days to respond.

All of the complaints are somewhat similar in that the CFTC alleges that each of the cryptocurrency platforms “from at least May 2021 and through the present” have offered services to the public “including soliciting or accepting orders for binary options that are based off the value of a variety of assets including commodities such as foreign currencies and cryptocurrencies including Bitcoin, and accepting and holding customer money in connection with those purchases of binary options.”

The CFTC has taken the position that “binary options that are based on the price of an underlying commodity like forex or cryptocurrency are swaps and commodity options as used in the definition of an FCM.” (The CFTC has previously taken the position that Bitcoin and Ethereum constitute “commodities,” doing so in public statements and enforcement actions.) In a prominent enforcement action previously filed by the CFTC in the United States District Court for the Eastern District of New York, the court held that “virtual currency may be regulated by the CFTC as a commodity” and that it “falls well-within the common definition of ‘commodity’ as well as the CEA’s definition of commodities.” (See: CFTC v. McDonnell, et al., 287 F. Supp. 3d 213, 228 (E.D.N.Y. Mar. 6, 2018); CFTC v. McDonnell, et al., No. 18-cv-461, ECF No. 172 (E.D.N.Y. Aug. 23, 2018).) In the action the CFTC filed against BitMEX in October of 2020, it alleged that “digital assets, such as bitcoin, ether, and litecoin are ‘commodities’ as defined under Section 1a(9) of the Act, 7 U.S.C. § 1a(9). (See: CFTC v. HDR Global Trading Limited, et al., No. 20-cv-8132, ECF 1, ¶ 23 (S.D.N.Y. Oct. 1, 2020).)

The CFTC has previously taken the position that Bitcoin, Ethereum and Litecoin are considered commodities. However, in these recently filed complaints, the CFTC did not appear to limit the cryptocurrencies that would be considered “commodities” to just Bitcoin, Ethereum and Litecoin. Instead, the CFTC broadly referred to “commodities such as foreign currencies and cryptocurrencies including Bitcoin.” It remains to be seen which of the hundreds of cryptocurrencies on the market will be considered “commodities,” but it appears that the CFTC is not limiting its jurisdiction to just three. It is also an open question as to whether there are certain cryptocurrencies or cryptocurrency referencing financial products that the SEC and CFTC will determine are subject to the overlapping jurisdiction of both regulators, similar to mixed swaps under the derivatives rules.

The CFTC also singled out two of these cryptocurrency platforms, alleging that they issued false statements to the effect that it “is a registered FCM and RFED with the CFTC and member of the NFA.” The CFTC noted that neither of these entities were ever registered with the National Futures Association (NFA) and one of the NFA ID numbers listed “identifies an individual who was once registered with the CFTC but has been deceased since 2009.”

WHAT’S NEXT

While the SEC, Treasury and DOJ are often considered the most prominent federal regulators in the cryptocurrency space, this recent sweep by the CFTC is not the first time it has flexed its muscles. The CFTC went to trial and won in 2018, accusing an individual of operating a boiler room. In October 2020, the CFTC filed a case against popular cryptocurrency exchange BitMEX for failing to register as an FCM, among other counts. However, unlike those one-off enforcement actions, the recent actions targeting multiple market participants within two days is a big step forward for the CFTC. Cryptocurrency derivative trading has been rising in popularity over the last few years and it is unsurprising that the CFTC is taking a more active enforcement role.

It is expected that regulatory activity within the cryptocurrency space will increase from all US regulators, including the CFTC, SEC, Treasury and the Office of the Comptroller of the Currency, especially as cryptocurrency products are increasingly classified as financial products subject to regulation. While the CFTC and other regulators have issued some regulatory guidance, regulators appear to be taking a “regulatory guidance by enforcement action” strategy. Market participants will need to thoughtfully consider all relevant regulatory regimes in order to determine what compliance activities are necessary. As we describe, multiple classifications are possible.

© 2021 McDermott Will & Emery
For more on cryptocurrency litigation, visit the NLR Cybersecurity, Media & FCC section.

Ransom Demands: To Pay or Not to Pay?

As the threat of ransomware attacks against companies has skyrocketed, so has the burden on companies forced to decide whether to pay cybercriminals a ransom demand. Corporate management increasingly is faced with balancing myriad legal and business factors in making real-time, high-stakes “bet the company” decisions with little or no precedent to follow. In a recent advisory, the U.S. Department of the Treasury (Treasury) has once again discouraged companies from making ransom payments or risk potential sanctions.

OFAC Ransom Advisory

On September 21, 2021, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory that updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, issued on October 1, 2020. This updated OFAC Advisory follows on the heels of the Biden Administration’s heightened interest in combating the growing risk and reality of cyber threats that may adversely impact national security and the economy.

According to Federal Bureau of Investigation (FBI) statistics from 2019 to 2020 on ransomware attacks, there was a 21 percent increase in reported ransomware attacks and a 225 percent increase in associated losses. All organizations across all industry sectors in the private and public arenas are potential targets of such attacks. As noted by OFAC, cybercriminals often target particularly vulnerable entities, such as schools and hospitals, among others.

While some cybercriminals are linked to foreign state actors primarily motivated by political interests, many threat actors are simply in it “for the money.” Every day cybercriminals launch ransomware attacks to wreak havoc on vulnerable organizations, disrupting their business operations by encrypting and potentially stealing their data. These cybercriminals often demand ransom payments in the millions of dollars in exchange for a “decryptor” key to unlock encrypted files and/or a “promise” not to use or publish stolen data on the Dark Web.

The recent OFAC Advisory states in no uncertain terms that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.” OFAC notes that such ransomware payments could be “used to fund activities adverse to the national security and foreign policy objectives of the United States.” The Advisory further states that ransom payments may perpetuate future cyber-attacks by incentivizing cybercriminals. In addition, OFAC cautions that in exchange for payments to cybercriminals “there is no guarantee that companies will regain access to their data or be free from further attacks.”

The OFAC Advisory also underscores the potential risk of violating sanctions associated with ransom payments by organizations. As a reminder, various U.S. federal laws, including the International Emergency Economic Powers Act and the Trading with the Enemy Act, prohibit U.S. persons or entities from engaging in financial or other transactions with certain blacklisted individuals, organizations or countries – including those listed on OFAC’s Specially Designated Nationals and Blacked Persons List or countries subject to embargoes (such as Cuba, the Crimea region of the Ukraine, North Korea and Syria).

Penalties & Mitigating Factors

If a ransom payment is deemed to have been made to a cybercriminal with a nexus to a blacklisted organization or country, OFAC may impose civil monetary penalties for violations of sanctions based on strict liability, even if a person or organization did not know it was engaging in a prohibited transaction.

However, OFAC will consider various mitigating factors in deciding whether to impose penalties against organizations for sanctioned transactions, including if the organizations adopted enhanced cybersecurity practices to reduce the risk of cyber-attacks, or promptly reported ransomware attacks to law enforcement and regulatory authorities (including the FBI, U.S. Secret Service and/or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection).

“OFAC also will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack” as a “significant” mitigating factor. In encouraging organizations to self-report ransomware attacks to federal authorities, OFAC notes that information shared with law enforcement may aid in tracking cybercriminals and disrupting or preventing future attacks.

Conclusion

In short, payment of a ransom is not illegal per se, so long as the transaction does not involve a sanctioned party on OFAC’s blacklist. Moreover, the recent ransomware Advisory “is explanatory only and does not have the force of law.” Nonetheless, organizations should consider carefully OFAC’s advice and guidance in deciding whether to pay a ransom demand.

In addition to the OFAC Advisory, management should consider the following:

  • Ability to restore systems from viable (unencrypted) backups

  • Marginal time savings in restoring systems with a decryptor versus backups

  • Preservation of infected systems in order to conduct a forensics investigation

  • Ability to determine whether data was accessed or exfiltrated (stolen)

  • Reputational harm if data is published by the threat actor

  • Likelihood that the organization will be legally required to notify individuals of the attack regardless of whether their data is published on the Dark Web.

Should an organization decide it has no choice other than to make a ransom payment, it should facilitate the transaction through a reputable company that first performs and documents an OFAC sanctions check.

© 2021 Wilson Elser
For more articles about ransomware attacks, visit the NLR Cybersecurity, Media & FCC section.

Apple iPhone Users: Update Your iPhone iOS ASAP

We have noted before how important it is to update the operating system (OS) on your mobile phone as soon as you receive notice from the manufacturer. This week, Apple issued an update to the iOS that is considered urgent.

Apple released two patches this week to address two security vulnerabilities in iPhones, including to protect against Pegasus spyware and WebKit, which is related to how Safari is displayed on screens.

The first patch aims to prohibit a zero-click exploit that launches code in iMessage that allows spyware to be deployed and used against users. This vulnerability is concerning because it does not require the user to open a link for the malicious code to be deployed and have access to the mobile device.

The second patch is designed to fix a vulnerability discovered by a security researcher, which allows threat actors to use malicious web content to exploit iPhones and iPads.

Message today: UPDATE YOUR iPHONE OPERATING SYSTEM ASAP. To do so, plug in your phone, go to Settings, click on General, then click on Software Settings and download iOS 14.8.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.

Article By Linn F. Freedman of Robinson & Cole LLP

For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

“I always feel like somebody’s watching me…” The Legalities of Smart Devices and Privacy

“Hey Alexa…”

It’s a simple phrase that makes us feel like we’re living in the future promised us by The Jetsons and Star Trek. Alexa, Siri, Google Assistant—all Artificial Intelligence (AI) designed to make our lives just a little easier. Need a recipe for beef brisket? Just ask Siri. What time is the movie going to start? Ask Alexa. Need some music for your dinner party? Google Assistant has you covered, just ask. But how are Alexa and Siri at your beck and call? The answer is they’re always listening. What does that mean for you? It means that every sound they hear is analyzed and indexed.

Data Privacy

Privacy is the next big frontier in eDiscovery. Data privacy laws are constantly evolving. The General Data Protection Regulation (GDPR) (effective May 25, 2018) is the European Union (EU) and European Economic Area (EEA) law that relates to data protection and privacy. It also applies to the transfer of personal data outside of the EU and EEA. (The University of Michigan has a great timeline of the history of privacy law.) Practically, your personal data is the most valuable asset you have.

Understanding existing and pending privacy legislation is important. Currently 3 states have passed legislation, including California; 9 states, including Pennsylvania, have active bills; and 15 states have introduced legislation that ultimately died or was postponed. At some point there could be federal legislation that governs privacy similar to GDPR.

Do these devices violate wiretapping laws? Unclear.

An issue worth exploring is whether these devices fall under the purview of wiretapping laws. In Hall-O’Neil v. Amazon, a class action case in the Western District of Washington, Plaintiffs allege that Alexa enabled devices collected and recorded confidential conversations with minors. Hall-O’Neil v. Amazon.com Inc. et al., 2:19CV00910. It is important to keep an eye on these and other similar cases to understand the privacy issues at play with these types of devices.

How Do We Handle Evolving Privacy Issues in the Legal World?

So, what does this mean for legal professionals? One thing to consider is attorney-client privilege issues. With the global pandemic requiring a major shift to working from home you should carefully consider the ramifications of having a virtual assistant in your home while you’re working on client matters—you may be violating attorney-client privilege. Out of an abundance of caution you probably want to unplug your virtual assistant before getting to work.

On the flip side, if someone has a virtual assistant and it was present during a key meeting or event you might want to investigate subpoenaing the recordings, which carries with it additional issues such as who owns the data related to virtual assistants, how long is the data retained, and how do you obtain it.  Law enforcement agencies have been subpoenaing virtual assistant data for years to obtain voice clips and time stamped logs of user activity in crime investigations.

What’s the Best Practice?

With so many questions and so few real legal precedents it’s best to proceed with caution with the use of these devices. It’s also very important, from an eDiscovery perspective, to make sure you’re aware of the potential for important data to be found on these devices during the discovery process.

Article by Gretchen E. Moore, Lydia A. Gorba, Lynne Hewitt and Maryann Mahoney of Strassburger, McKenna Gutnick & Gefsky

For more articles on cybersecurity, please visit here.

©2021 Strassburger McKenna Gutnick & GefskyNational Law Review, Volume XI, Number 244

Get with The Program – China’s New Privacy Laws Are Coming

The People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) on Friday the 20th of August 2021. The new privacy regime strengthens the protection around the use and collection of personal data and introduces a new requirement for user consent.

The PIPL, closely resembling the European Union’s General Data Protection Regulation, prevents the personal data of PRC nationals from being transferred to countries with lower standards of data security; a rule that may pose inherent problems for foreign businesses. The PIPL was introduced following an increase in online scamming and individual service price discrimination – where the same service is offered at different prices based on a user’s shopping profile. However, while businesses and some state entities face stronger collection obligations, the PRC state security department will maintain full access to personal data.

Although the final draft of the PIPL is yet to be released, the new law is set to commence on the 1st of November 2021. Companies will face fines of up to 50 million yuan ($7.6 million USD), or 5% percent of their annual turnover if they fail to comply. For an in-depth discussion of the Draft PIPL released in August 2020, see our K&L Gates publication here.

Ella Richards also contributed to this article.

Copyright 2021 K & L Gates
Article by Cameron Abbott with K&L Gates.
For more articles on international privacy law, visit NLR Section Cybersecurity Media & FCC.

Agencies and Regulators Focus on AML Compliance for Cryptocurrency Industry

This year, regulators, supported by a slate of new legislation, have focused more of their efforts on AML violations and compliance deficiencies than ever before. As we have written about in the “AML Enforcement Continues to Trend in 2021” advisory, money laundering provisions in the National Defense Authorization Act for fiscal year 2021 (the NDAA) expanded the number of businesses required to report suspicious transactions, provided new tools to law enforcement to subpoena foreign banks, expanded the AML whistleblower program, and increased fines and penalties for companies who violate anti-money laundering provisions. The NDAA, consistent with Treasury regulations, also categorized cryptocurrencies as the same as fiat currencies for purposes of AML compliance.

In addition, as discussed in the “Businesses Must Prepare for Expansive AML Reporting of Beneficial Ownership Interests” advisory, the NDAA imposed new obligations on corporations, limited liability companies, and similar entities to report beneficial ownership information. Although the extent of that reporting has not yet been defined, the notice of proposed rulemaking issued by FinCEN raises serious concerns that the Treasury Department may require businesses to report beneficial ownership information for corporate affiliates, parents and subsidiaries; as well as to detail the entity’s relationship to the beneficial owner. Shortly after passage of the NDAA, Treasury Secretary Janet Yellen stressed that the Act “couldn’t have come at a better time,” and pledged to prioritize its implementation.

Money laundering in the cryptocurrency space has attracted increased attention from regulators and the IRS may soon have an additional tool at its disposal if H.R. 3684 (the bipartisan infrastructure bill) is signed into law. That bill includes AML provisions that would require stringent reporting of cryptocurrency transactions by brokers. If enacted, the IRS will be able to use these reports to identify large transfers of cryptocurrency assets, conduct money laundering investigations, and secure additional taxable income. Who qualifies as a “broker,” however, is still up for debate but some fear the term may be interpreted to encompass cryptocurrency miners, wallet providers and other software developers. According to some cryptocurrency experts, such an expansive reporting regime would prove unworkable for the industry. In response, an anonymous source from the Treasury Department told Bloomberg News that Treasury was already working on guidance to limit the scope of the term.

In addition to these legislative developments, regulators are already staking their claims over jurisdiction to conduct AML investigations in the cryptocurrency area. This month, SEC Chair Gary Gensler, in arguing that the SEC had broad authority over cryptocurrency, claimed that cryptocurrency was being used to “skirt our laws,” and likened the cryptocurrency space to “the Wild West . . . rife with fraud, scams, and abuse” — a sweeping allegation that received much backlash from not only cryptocurrency groups, but other regulators as well. CFTC Commissioner Brian Quintez, for example, tweeted in response: “Just so we’re all clear here, the SEC has no authority over pure commodities . . . [including] crypto assets.” Despite this disagreement, both regulatory agencies have collected millions of dollars in penalties from companies alleged to have violated AML laws or BSA reporting requirements. Just last week, a cryptocurrency exchange reached a $100 million settlement with FinCEN and the CFTC, stemming from allegations that the exchange did not conduct adequate due diligence and failed to report suspicious transactions.

With so many governmental entities focused on combatting money laundering, companies in the cryptocurrency space must stay abreast of these fast-moving developments. The combination of increased reporting obligations, additional law enforcement tools, and heightened penalties make it essential for cryptocurrency firms to institute strong compliance programs, update their AML manuals and policies, conduct regular self-assessments, and adequately train their employees. Companies should also expect additional regulations to be issued and new legislation to be enacted in the coming year. Stay tuned.

©2021 Katten Muchin Rosenman LLP

The 4 Step Checklist to Ensure Your Law Firm Website is Mobile Friendly

Nearly everyone has a cell phone these days, and the vast majority of people use smartphones to search for the businesses and services they need. When potential clients are searching for you online from their phone, you need to be sure that your law firm’s website is mobile-friendly. Your website should be the go-to resource for your clients whether they are on desktop or mobile. Neglecting to optimize your website for mobile is one of the most common mistakes law firms make. Over half of all general website traffic comes from mobile, so that means if your site doesn’t load clearly or quickly, you’re losing business.  Here are four simple steps to ensure your law firm website is mobile-friendly.

Step 1: Check Your Website’s Mobile Responsiveness

The first thing you should do to find out whether your website is mobile-friendly is taking Google’s Mobile-Friendly Test. Google loves when you use its products. And when you make updates and changes to your website to accommodate the suggestions made by Google, it can only help your site.

One of the biggest issues law firms run into is their website’s mobile responsiveness. You might run into this problem if you wanted to include large images or videos that require Flash, for example. The good news is that making your web design responsive is a relatively easy fix. The website is coded so that the contents will automatically adjust to the length, width, and screen resolution of a mobile device. However, don’t be fooled. This could involve an entire redesign of your law firm’s structure and layout. Making the decision to go with a responsive web design can only benefit your website in the long run.

Step 2: Keep Your Web Design Clean and Simple

It can be tempting to go with a flashy web design that you think will make your law firm stand out amongst the competition. But if your web design is complicated or uses poor design elements, it can hurt your rankings and make your website respond poorly on mobile.

Arguably the most important aspect of a mobile-friendly website is its ability to load quickly. Users simply don’t have the time, patience, or inclination to wait for a page to load. And if they click out of your page before it has time to load, this can increase your bounce rate. To make sure that your web pages load quickly, avoid using large ads, fonts, and images. These are heavy files that will slow your website down and negatively affect your rankings on Google.

Content on your website should flow on the mobile screen so that the user doesn’t have to turn their phone into landscape mode to see the page’s content. Font style should be clean and the size shouldn’t be too large either.

Step 3: Make Sure Your Website is Easily Navigable on Mobile

If you want to give your prospective clients the best experience on your law firm’s website, make sure it’s easy to navigate. Little is more frustrating to an internet user than being unable to find the information they are looking for. If they can’t find navigation buttons or your CTA buttons are hard to click, it’s going to cause your user to click out of your page and look somewhere else— which could mean your competitor’s law firm if you don’t take the necessary steps.

Choose your menu style wisely. Will your clients prefer a tab pattern or hamburger menu? The hamburger button can be hard to find when you hide your navigation menu behind it. If this is an issue for your law firm website, opt for a drop-down menu, sidebar, or move your top nav to the bottom of the page.

Make your website stand out among your competing law firms by adding a search bar to your navigation. The ability to easily search for keywords your potential client is looking for is a great way to lead them directly to the content that will best serve their needs— and make them a client of yours.

Step 4: Don’t Block CSS Files, JavaScript, or Image Files

Blocking image files, CSS files, and JavaScript can have a negative impact on your website’s mobile performance. These media improve the functionality of your law firm’s web pages. When the files aren’t placed correctly, they can be blocked which can have a devastating impact on how fast your web page loads. Make sure these aren’t blocked by using the URL Inspection Tool in Google Search Console.

© 2021 Denver Legal Marketing LLC

Article By Meranda M. Vieyra of Denver Legal Marketing

For more articles on the legal industry, visit the NLR Law Office Management section.

Is it Secret, Is it Safe? What Employers Need to Know About the California Privacy Rights Act

In most contexts, employees should have a low expectation of privacy in the workplace. Their computers, desks, and other common areas may be subject to strict company control and their conduct subject to workplace policies. There are many aspects of employee privacy and related laws, of which California employers must be aware. One such area with rapidly approaching deadlines, is the California Privacy Rights Act (“CPRA”).

In November 2020, Californians voted in favor of the CPRA, further expanding employee and consumer privacy rights for California residents. Following consumer privacy trends like Europe’s Global Data Privacy Regulation, California has been on the move to enhance privacy, not just for consumers, but for employees. The CPRA amends the California Consumer Privacy Act (“CCPA”), which the California legislature passed in 2018 and went into effect January 1, 2020. Unlike the CCPA, which was amended in 2019 to have a limited application to employees, job applicants and independent contractors, the CPRA will extend various individual rights to employees, job applicants and independent contractors. Consequently, employers subject to the CPRA will need to start preparing in the near future to ensure they have the necessary procedures, policies and contract amendments in place by the CPRA’s January 1, 2023 effective date.

What Is the CCPA?

In general, the CCPA was enacted to enhance the privacy rights of California residents by providing them with notice of how their personal information is being processed, the purpose for such processing, and allowing them greater control of their personal information. While the CCPA provides California residents the right to access, to deletion and to opt-out of “sales” of their personal information, it did not extend most of these rights to California employees. It did, however, expand employee rights in two significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; and (2) it provides for statutory damages ranging from $100 to $750 if certain personal information is breached. Further, the CCPA requires businesses to have “reasonable security procedures and practices” in place to protect their California employees’ personal information.

Which Employers Are Subject to the CPRA?

The CPRA amends the CCPA’s definition of a covered “business” to minimize its impact on small to medium sized businesses. The CPRA applies to for-profit organizations that collect personal information on California residents, determine the purposes and means of processing the personal information, do business in California and satisfies one of the following thresholds:

  1. as of January 1, had annual gross revenues in excess of $25 million in the preceding calendar year; or
  2. buys, sells or shares the personal information of at least 100,000 California consumers or households; or
  3. derives at least fifty percent of its annual revenue from selling or sharing consumers’ personal information.

It is important to note that an employer does not need to have a physical location in California to be subject to the CPRA, but rather it must only satisfy the definition above.

What Is the CPRA and How Does It Impact the CCPA?

The CPRA materially amends the CCPA by adding a number of provisions to expand employee privacy rights. However, like the CCPA, the CPRA does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member or contractor, with regard to benefits administration and maintenance of emergency contact information.

New Business Definition. Although it contains many of the same definitions as the CCPA, the CPRA changes one of the thresholds for an entity to meet the definition of a “business” subject to the law – in that it changes threshold from 50,000 to 100,000 or more consumers or households, and removes devices from the threshold.

Sensitive Personal Information Definition. The CPRA includes “sensitive personal information” as a defined term and requires businesses provide notice to employees when such information is processed, the purposes for the processing, whether the information will be sold or shared, and the length of time the business intends to retain each category of sensitive personal information. The term is broadly defined to include social security and driver’s license numbers, financial account information, credit card numbers, account passwords, geolocations, genetic data, biometric information, records of products purchased, internet browsing history, and content of emails and text messages. See Cal. Civ. Code §1798.140(ae).

Individual Rights. The CPRA also provides for new and modified individual rights, which impact employees. It imposes restrictions and requirements on personal information, including disclosure requirements, opt-out requirements, opt-in consent for use and disclosure, and limitations on purposes for which information may be used. For example, the CPRA includes a right to correction, whereby consumers may request corrections to personal information if it is inaccurate. It provides a right to opt out of the use of automated decision-making technology (including profiling in connection with decisions related to work performance, economic status, health, personal preferences, location or movements). It also provides the right to restrict or limit the use and disclosure of sensitive personal information for secondary purposes, such as prohibiting businesses from disclosing certain information to third parties.

Flow-down Provisions. The CPRA also contains flow-down provisions that require employers to understand how third parties use, share and secure consumer data. Employers should identify third parties and vendors that receive their employee or applicant personal information (e.g., payroll companies, health/benefits/wellness providers, HR consultants, staffing agencies, etc.) and conduct vendor inquiries and diligence about how those third parties use, share and secure the employee personal information. The CPRA requires businesses with such vendors to enter agreements to ensure compliance with the CPRA, including the right to, upon notice, take reasonable steps to remediate unauthorized use of personal information.

Data Retention. The CPRA requires businesses to inform California residents of the length of time they will retain each category of personal information and sensitive personal information or the criteria used to determine that period.

Expanded Right of Action for Breach of Login Credentials. Moreover, the CPRA expands the types of data breaches for which a California resident can recover statutory damages to include breaches of personal online login credentials (such as passwords or security questions that permit access to an online account). The existing right to recover statutory damages, particularly when coupled with this expansion, provides covered employers a strong incentive to enhance their security measures.

Yeah, But, What if We Don’t Comply?

Failure to comply with the CCPA (and later the CPRA) can carry significant fines. The CCPA currently charges the Office of the Attorney General (OAG) with issuing regulations and enforcing the CCPA. The OAG can bring civil actions to enforce the law and impose penalties up to $7,500 for intentional violations and $2,500 for unintentional violations. The CCPA also contains a private right of action, allowing for $100 to $750 in damages for each incident of breach. These penalties can add up quickly, particularly in a class action context. There is, however, a 30-day cure period in which an employer can cure a violation and provide an express written statement that the violation has been cured, to avoid penalties. Cal. Civ. Code §§1798.150(b); 1798.155(b).

Under the CPRA, the 30-day cure period no longer applies to general violations of the law, but rather only as a means of preventing individual or class-wide statutory damages as part of a private right of action for security violations. In addition, the CPRA creates a new enforcement mechanism and establishes the California Privacy Protection Agency (CPPA). The CPRA expands rulemaking and enforcement power to the CPPA, which includes the authority to require businesses to submit annual privacy and security risk assessments and to audit those assessments. The CPPA will be governed by a five-member board, which was appointed in March.

When Does the CPRA Go into Effect?

The CPRA will become operative on January 1, 2023, and enforcement actions are slated to begin on July 1, 2023. However, it is important to recognize that the CPRA includes a one year “look back provision” which requires that when a business receives a request on January 1, 2023 (the day the law goes into effect), it must be prepared to provide responsive information going back to January 1, 2022. With these deadlines looming, California employers should prepare their CPRA compliance workplans as soon as possible, and begin taking the necessary steps to come into compliance.

How Do Employers Prepare for the CPRA?

It will take most businesses at least 12 months to become substantially compliant with the CPRA. With the CCPA already in place, employers should already be on the move to update their privacy compliance practices. However, below is a checklist to help build effective privacy and security programs to prepare for the CPRA:

  • Determine if your organization is a covered business under the CPRA.
  • Create a team consisting of members from HR, Legal, Compliance and IT to lead your CPRA compliance project.
  • Map and classify personal information and identify sensitive personal information.
  • Revise (or develop) workforce disclosures to include new definitions and rights.
  • Develop workforce request workflows for rights to access, correct, opt-out of sharing and sales, and delete personal information.
  • Put in place contractual provisions with workforce vendors including diligence and contractual indemnity.
  • Develop, enforce and audit document retention policies.

Although new rulemaking may impact the exact confines of the CPRA, employers should create a plan now and start to take the necessary steps to come into compliance as 2023 will soon be upon us.

©2021 Greenberg Traurig, LLP. All rights reserved.
For more articles on privacy law, visit the NLRCommunications, Media & Internet

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.