Category: Communication Media & Internet

Data Breach Litigations: 2020 Year in Review

2020 has been a year for the record books, and the area of data breach litigation is no exception.   Several key developments, when considered individually or in conjunction, will likely make breach litigation a top of mind data privacy issue going into the next year.  So fasten your seatbelts and read on as CPW recaps what you need to know going into 2021.

Overview of Industries Impacted by Data Breach Litigation in 2020

What industries were impacted by data breach litigations in 2020?  The short answer: all of them.

Despite the widespread adoption of cybersecurity policies and procedures by organizations to safeguard their proprietary information and the personal information of their clients, consumers, and employees, data breaches are all too common.  CPW has covered previously how “[t]echnical cybersecurity safeguards, such as patching, are obviously critical to an effective cybersecurity program.  However, many of the most common vulnerabilities can be addressed without complex technical solutions.”  Top five practical recommendations to reduce cyber risk can be reviewed here.

In fact, the number of data breaches in 2020 was more than double that of 2019, with industries that were frequent targets including government, healthcare, retail and technology.  In this instance, correlation equals causation—as more and more companies experienced crippling security breaches, the number of data breach litigations is also on the rise.

What Has Changed with Data Breach Litigations in 2020?

Besides increasing in frequency, the considerations implicated by data breach litigation have also grown increasingly complex.  This is due to several factors.

First, plaintiffs bringing data breach litigations have continued to rely on common law causes of action (negligence and fraud, among others) in addition to asserting new statutory claims (although of course there are exceptions).  The reason for this boils down to the fact that while nearly every state has a data breach statute, many do not include a private right of action and are enforced by the state attorneys general.  Hence plaintiffs’ reliance on common law and tort based theories.  Insofar as statutory causes of action are concerned, the California Consumer Privacy Act (“CCPA”) has only been on the books since the start of this year, but emerged as a focal point for data breach litigations (be sure to check out our CCPA Year-in-Review coverage).  The first CCPA class action settlement was announced last month and will likely serve as a benchmark going forward (keep a close eye on organizations agreeing to adopt increased security and data privacy controls, as has been done on the regulatory front).

Secondthere was a monumental development in the spring that sent shockwaves through the data breach defense bar.  A federal judge ordered production of a forensic report prepared by a cybersecurity firm in the wake of the Capital One data breach.  The report was found not protected as attorney work product despite having been prepared at the direction of outside counsel.  [Note: A forensic report is usually prepared by a cybersecurity firm following a thorough investigation into a company’s cyberattack.  The report will address, among other areas, any vulnerabilities in a company’s IT environment that enabled the cyberattack.  Obviously, while these findings can help a company defend itself in subsequent litigation and mitigate risk, the utility of the forensic report can cut both ways.  Plaintiffs can also use this information to substantiate their claims.]  This ruling reaffirmed several key lessons for companies facing cyber incidents.  This includes that to shield a forensic report as work product, a company must demonstrate that the report would not have been created in essentially the same form absent litigation.  Notably, this burden is more difficult to meet where the company has a pre-existing relationship with the cybersecurity vendor that prepares the report.

And thirdas seen from a high profile case earlier this year, the legal fallout from a data breach can extend to company executives.  A company’s former Chief Security Officer (CSO) was charged with obstruction of justice and misprision of felony for allegedly trying to conceal from federal investigators a cyberattack that occurred in 2016, exposing the data of 57 million individuals.  Although an outlier, it is a significant reminder for companies and executives to take data breach disclosure obligations seriously—notwithstanding regarding murkiness in the law regarding when these obligations arise.

What Changed With Standing in Data Breach Cases in 2020?

Experienced litigators may be familiar with the classic requirements for standing, but even the most experienced of them are not likely familiar with standing as it applies to data breach litigation.  The reason for this discrepancy is simple:  although standing case law can be generally straightforward, this case law has not caught up to the unique challenges posted by data breaches.  This, when combined with the absence of national-level legislation for data privacy, has created a hodgepodge of circuit splits and differing interpretations.

As you will recall, Article III standing consists of three elements:  (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) the injury must be fairly traceable to the defendant’s act; and (3) it must be “likely” that a favorable decision will compensate or otherwise rectify the injury.

When a data breach occurs, the penultimate standing question is whether the theft of data may, by itself, constitute a sufficient injury.  Is there an injury when leaked personal information is not copied or used to facilitate fraud or another crime?  Should an injury occur when only certain types of personal information, such as Social Security numbers, are leaked, or may the disclosure of other types of information, such as credit card numbers or addresses, be sufficient for injury?  These questions are the heart of data breach litigation, and 2020 brought us a few notable cases that are worth reflecting on at this time of the year.

Given the absence of uniform causes of action in data breach litigation, plaintiffs often employ a number of strategies when drafting their complaints.  One strategy has been to allege a negligence cause of action.  This year, this strategy drew increased attention when Wawa, a convenience store chain, moved to dismiss a class action lawsuit filed against it by a group of credit unions regarding an alleged data breach.  In In Re: Wawa Inc. Data Security Litigation, No. 2:19-cv-06019 (E.D. Pa.), a group of credit unions alleged that a convenience store chain’s failure to abide by the PCI DSS–the payment card industry’s data security standards–should be the standard of care for determining a negligence claim.  In opposition, the plaintiffs argued that Wawa had an independent and common law duty to use reasonable care to safeguard the data used by credit and debit cards for payments.  The parties held oral argument in November and a decision remains pending.  Our previous coverage provides more information.

While some commentators have reported a trend this year towards viewing standing in data privacy cases to be more permissive towards plaintiffs, at least one court this year paused this trend.  In Blahous v. Sarrell Regional Dental Center for Public Health, Inc., No. 2:19-cv-00798 (N.D. Ala.), a group of patients filed suit against a dental provider due to an alleged data breach.  After conducting an investigation, the defendant determined that there was no evidence that any breached files were copied, downloaded, or otherwise removed.  This factual finding was included in the notice that the defendant sent to its patients.

The court rejected the plaintiff’s argument and granted the defendant’s motion to dismiss.  Crucial to the court’s opinion was that there were no allegations that suggested any disclosure of the acquired data, “such as an actual review by a third party,” had occurred.  The court stated “the fact that the [b]reach occurred cannot in and of itself be enough, in the absence of any imminent or likely misuse of protected data, to provide Plaintiffs with standing to sue.”  The court looked to the notice of the data breach and observed “[t]he [n]otice upon whose basis the Plaintiffs sue, included as exhibits to their own pleading, denies that any personal information was copied, downloaded, or removed from the network, despite Plaintiffs’ mistaken belief to the contrary.”

Perhaps the biggest takeaway of Blahous is that the disclosure of a patient’s Social Security number and health treatment information were not sufficient for standing.  This was contrary to other decisions where the absence of a Social Security number in a data breach specifically led a court to conclude there was no injury.  See Antman v. Uber Technologies, No. 3:15-cv-01175 (N.D. Cal.) (allegations are not sufficient when the complaint alleged “only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”).

Another case highlighted the current circuit split concerning injury in data breaches.  In Hartigan v. Macy’s, No. 1:20-cv-10551 (D. Mass.), a Macy’s customer filed a class action lawsuit after his personal information was leaked due to a breach through Macy’s online shopping platform.  The court granted Macy’s motion to dismiss, attributing three reasons for its holding:  (1) the plaintiff did not allege fraudulent use or attempted use of his personal information to commit identify theft; (2) the stolen information “was not highly sensitive or immutable like social security numbers”; and (3) immediately cancelling a disclosed credit card can eliminate the risk of future fraud.

Hartigan has at least two takeaways.  First, the change brought by Blahous may be an anomaly.  In Blahous, the court found no standing when a Social Security number was disclosed.  The Hartigan court, however, specifically stated that the absence of any disclosed Social Security numbers was a reason why the plaintiff did not suffer an injury.  Although issued later in the year, the Hartigan court did not cite Blahous or any opinion from within the Eleventh Circuit.

Second, Hartigan highlighted the current circuit split regarding standing in data breach cases.  The court’s analysis was based on First Circuit precedent that was issued prior to the Supreme Court’s decision in Clapper.  The court then looked to six other circuits for guidance.  It cited opinions in the D.C. and Ninth Circuits that suggested the disclosure of “sensitive personal information,” like Social Security numbers, creates a substantial risk of an injury.  It then looked to opinions from the Fourth, Seventh, and Ninth Circuits that suggested post-theft criminal activity created an injury.  Finally, it noted that the Third, Fourth, and Eighth Circuits found no standing in the absence of criminal activity allegations, even when Social Security numbers were disclosed.

Finally, no year-in-review would be complete without additional discussion of the CCPA (including in the area of standing).  At least one notable standing opinion highlights what may be to come.  In Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), a Pennsylvania resident filed suit against an operator of drug and alcohol rehabilitation treatment centers regarding an alleged data breach.  A significant issue was whether the plaintiff, a Pennsylvania resident that stayed in one of the defendant’s California facilities for one month, may be a “consumer” under the CCPA for standing purposes.

The defendant seized on the plaintiff’s residency issues for its motion to compel arbitration, or, in the alternative, to dismiss.  The defendant argued that the plaintiff’s one-month at a California treatment facility did not make him a “consumer.”  The CCPA defines a “consumer” as “a natural person who is a California resident,” as defined by California regulations.  Cal. Civ. Code § 1798.150(h).  That part of the California Code of Regulations includes in its definition of “resident”:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the court did not evaluate this issue because the parties voluntarily dismissed the suit prior to a decision.

Trends in 2021

The nation’s political landscape and the pending circuit split will likely fuel developments in 2021.

With a new Congress arriving shortly, most eyes are watching to see whether the 117th Congress will finally bring about comprehensive federal data privacy legislation.  Of the previously introduced federal legislation, one point of difference has been whether there should be a private cause of action.  The CCPA, which permits private causes of action for California residents, may be one source of influence.  Should federal legislation recognize a private cause of action, cases like Fuentes may foreshadow a standing argument to come.

The change of administration will also likely influence data privacy trends.  The Vice President-Elect’s prior experiences with data privacy issues may place her on-point for any federal action.  When she was Attorney General of California, the Vice President-Elect had an active interest in data privacy issues.  In January 2013, her office oversaw the creation of the privacy Enforcement and Protection Unit of the California Attorney General’s Office, which was created to enforce laws related to data breaches, identity theft, and cyber privacy.  The Vice President-Elect also secured several settlements with large companies, some of which required creation of specific privacy-focused offices within settling companies, such as chief privacy officer (mirroring recent trends discussed above).

2021 may also be the year of the Supreme Court.  In recent years, the Supreme Court has denied several cert petitions in cases involving data breaches.  2021, however, may be the year when we see the nation’s highest court decide who has standing in a data breach and when an injury occurs.  Several high-profile data privacy cases have increased the public’s attention to data issues, such as the recent creation of two MDLs.  Additionally, the circuit split referenced in Hartigan may be coming to a head.  Finally, the implementation of the CCPA and possibility of federal legislation may make this the year of data privacy.

CPW will be there to cover these developments, as they occur.  Stay tuned.

© Copyright 2020 Squire Patton Boggs (US) LLP
For more, visit the NLR Corporate & Business Organizations section.

Trump Signs IoT Cybersecurity Improvement Act into Law

On Dec. 4, 2020, President Donald Trump signed into law the bipartisan-backed Internet of Things Cybersecurity Improvement Act of 2020. By its terms, the new law applies solely to federal government agencies, but its downstream consequences are likely to reach further, impacting devices procured by the federal government and—likely, eventually—consumer devices.

Internet of Things (IoT) devices are in widespread use, most visibly by consumers of new smart home devices. The new law defines IoT devices as those devices that:

  1. Interact with the physical world
  2. Have a network interface for transmitting or receiving information via the internet
  3. Are not conventional information technology devices such as smartphones or laptops and cannot function as a component of another device such as a processor

Despite having a highly technical definition, IoT devices are common and becoming increasingly so. You probably even have several in your home or office, with many wireless devices—like refrigerators, smart speakers, networked printers, security systems and locks—satisfying this definition of an IoT device.

Though perhaps less visible than consumer adoption of IoT devices, the federal government’s use of IoT devices is increasing and, given the federal government’s significant size and buying power, impacting the market in meaningful ways. For instance, the Environmental Protection Agency (EPA) uses sensors that transmit data regarding weather conditions. Customs and Border Protection (CBP) uses autonomous surveillance towers that detect and identify items of interest at the border. NASA even uses spacesuits that monitor and transmit data regarding astronauts’ vital signs. Although these items often serve more sophisticated functions than IoT devices purchased and used by consumers, many of the underlying technologies are similar or even identical.

Despite, or perhaps because of, their growing adoption, IoT devices are generally viewed as being more vulnerable to cyberattacks and subject to abuse as part of distributed denial of service (DDoS) attacks.

The IoT Cybersecurity Improvement Act seeks to reduce those risks, at least among IoT devices procured by the federal government. To achieve this goal, the new law:

  1. Tasks the National Institute of Standards and Technology (NIST) with developing, publishing and updating security standards for IoT devices
  2. Requires the Office of Management and Budget (OMB) to review each federal agency’s information security policies to ensure they comply with the standards NIST promulgates for IoT devices
  3. Prohibits federal agencies from procuring any devices that fail to comply with NIST’s standards

Although NIST’s standards are not yet drafted and, even when they are, will not impose any direct requirements on the private sector, it is important for all device manufacturers and sellers to pay close attention to developments. The sheer size and scope of the federal government’s buying power may result in private sector businesses adopting the eventual NIST standards to ensure they can sell devices to the government. Similarly, the eventual NIST standards may provide a possible baseline for private sector businesses to satisfy and bring themselves into compliance with state IoT security laws that require “reasonable security features.”

Copyright © 2020 Godfrey & Kahn S.C.
For more articles on IoT, visit the National Law Review Communications, Media & Internet
section.

What Lawyers Can Learn from the Rise of Telehealth

Like most industries during the COVID-19 pandemic, law firms have been forced to take their operations online. In a field dominated by face-to-face interactions which build trust and create mutual understanding, the absence of this basic human function poses a major challenge. Simple technology so far has been the key replacement for today’s attorney-client relationships, but law firms need more than email and cell phones to run their practices these days.

Much like lawyers, doctors have faced similar challenges of needing to continue to provide quality care and service, while doing so virtually. Luckily for doctors, the infrastructure of telemedicine was already at their fingertips, though adoption of the service was extremely low before the onset of COVID-19. Virtual visits are now estimated to top 1 billion by the end of 2020 based on Forrester’s analysis. What can lawyers learn from telehealth’s initial growing pains and subsequent successes in order to make their practices efficient and effective?

The Rise of Digital Care

Telemedicine is broadly defined as the use of electronic communications and software to monitor and treat patients in lieu of an in-patient visit. At its simplest form it sounds like a quick and convenient way to meet with your doctor, and in an on-demand world, it seems to be a no-brainer from a patient’s perspective. So why was adoption so low upon the initial roll out?

Lack of Awareness

66% of people interviewed by J.D. Power in 2019 said they were not aware of telehealth services or it was not available to them.

Fear of Costs

Many insurance providers made it harder for patients and doctors alike to use telemedicine by only offering certain visits via telehealth. Doctors were also getting paid less and more slowly for these appointments.

Desire for in-person care

When you’re not feeling well, being reassured by another human can be some of the best medicine which often does not translate very well to an app experience.

Of course many of our habits and rules went out the window in March of 2020 and adoption of telehealth has increased out of pure necessity. Just as patients still need to visit with their doctors regularly, clients still need services from lawyers. Here are a few ways COVID-19 is affecting law firms.

How Lawyers Can Replicate Success

Law firms can’t wait 10 years for the adoption of a digital practice, and building one from scratch isn’t in the cards either. By automating your firm with law practice management software, you can have your business up and running in a virtual capacity in no time. Let’s look at how you can have immediate success with this technology as opposed to the slow burn of telemedicine.

Lack of Awareness

One of the quickest ways to grow your client list is through word-of-mouth recommendations. In the same J.D. power survey of telemedicine users, they found that “positive recommendations from others led nearly two-thirds (65%) of telehealth users to try the service.” The key to gaining a customer by word-of-mouth is to first provide quality service, and in a remote world, that often means quick response times and seamless interactions. Today’s law practice management tools allow you to be alerted when any changes are made to a clients account, resulting in faster service. If your client feels that attention, they’ll be more likely to recommend your firm to their peers.

Fear of Costs

Unlike medical patients who often have to deal with cumbersome insurance plans and third party collections teams, your clients should pay their invoices as if they were checking out at an online retailer. With increased transparency thanks to the speed and accuracy of online payment functions which many law firms are adopting, clients won’t feel apprehensive or overwhelmed about the money they owe.

Desire for in-person care

While telehealth can’t replicate the reassuring touch of a doctor, it does open up a great line of communication. Today’s case management tools elevate your client communication by storing all your messages in one place. The days of sifting through binders, then scrolling through email, and finally browsing a rolodex are over. Everything from start to finish of a case or matter can be accessed instantly with today’s technology so you can maintain a full picture of your clients’ needs as if you were in the room together.

Just as doctors have embraced telehealth and finally seen the tools take off, law firms will see the same benefits as they begin to transition online. Practice management software can help your firm gain word-of-mouth clients in a digital world through quick service thanks to real time updates, create client trust through financial transparency, and ensure smooth communication via powerful CRM’s.

© Copyright 2020 PracticePanther
ARTICLE BY Dan Bowman of PracticePanther
For more articles on telehealth, visit the National Law Review Communications, Media & Internet section.

A Lawyer’s Guide to Enterprise Telecommunications Services Agreements—Part 2

This is the second entry in our series on enterprise telecommunications services agreements, providing a framework for addressing the customer’s interests and risks in enterprise telecommunications services agreements.

While each carrier’s standard agreement is different, these agreements have three core components:

  1. The carrier’s standard policies and rules applicable to its services
  2. The legal terms and conditions or master agreement
  3. The business deal

Aspects of the business deal are distributed among these components.

Standard Policies and Rules

Carriers’ standard policies and rules governing customers’ use of its services primarily reside online and are incorporated by reference into services agreements. These include the carrier’s:

  • Acceptable Use Policy (AUP)
  • Network Security Policy
  • Privacy Policy
  • Service Level Agreements (SLAs) (sometimes SLAs are provided as attachments to the master agreement)
  • Service Pricing Schedules

Carriers reserve the right to modify these documents by posting revisions online with customer’s recourse for problematic changes limited to the right to terminate the service or the agreement—a non-starter for customers. As discussed below, changes to pricing schedules are intended to be less impactful.

The AUP sets out prohibited uses or abuses of its services that a carrier believes will damage its network, violate laws, or impair use of the service by others. The scope can be very broad, addressing such matters as copyright violations, interference with carrier network operations, and limitations on how the service may be used. To minimize uncertainty, the carrier may agree that the AUP, in effect on an agreement’s effective date, controls for the life of the agreement. For violations, carriers reserve the right to terminate service. This poses an untenable risk to enterprises that largely shares the carrier’s interest in stopping any abuse.

A customer-oriented approach is to add a provision to the agreement that states, in the event of an alleged or actual potential AUP violation, the carrier shall promptly notify the customer of the abuse, providing a brief period to remedy the offending conduct or demonstrate that there was no violation. The carrier may insist on the right to suspend the affected service until the violation ceases. This approach underscores the importance of inclusion of a thoughtful precedence clause so that an agreed modification to the AUP, and to any other online document, controls in the event of a conflict.

A carrier’s privacy policy must reasonably meet the most stringent state and foreign privacy laws in which it operates, which suggests major carriers’ policies are reasonably comprehensive. However, the prospective carrier’s policy should be reviewed to determine whether major gaps or variances exist as compared to the enterprise’s privacy policy. Several carriers maintain and update network security policies and practices that may be summarized in a Network Security Policy document. This document is both high level and non-negotiable. It is provided as an assurance that the carrier is vigilant in maintaining network security.

SLAs are service-specific and vary among carriers. Whether an SLA is sufficient is a business decision. SLAs specify latency, availability, Mean Time to Repair (MTTR) other technical performance requirements, and may include customer reporting obligations, escalation procedures, and billing credits for outages. Invariably, outage credits are nominal.  As a rule, the substance of SLAs is not negotiable, but the consequences of recurring SLA violations may be addressed, as discussed below.

The rates in the service pricing schedules are the carriers’ “rack rates.” A key element of the business deal is the negotiated rates for the desired services. These are included in attachments to the master agreement. The carriers routinely agree that the negotiated rates take precedence over rates in their pricing schedules.

Terms and Conditions (Master Agreement)

The legal terms and conditions that the enterprise has adopted for its template agreements are an appropriate baseline for assessing the legal terms and conditions of the carriers’ standard agreements. Negotiated provisions in cloud services agreements or collocation agreements may be relevant as well.

The termination right in most agreements for material breach has limited value in telecommunications services agreements. Problems tend to be service- or location-specific. An unplanned transition of hundreds of locations to a replacement carrier is not an optimum outcome for many customers. However problematic the service, connectivity to enterprise locations must be maintained. Persistent, significant billing or provisioning issues may warrant termination.

On the other hand, a tiered set of remedies that include a partial termination right is likely more helpful. Recurring SLA violations could trigger a carrier to conduct a root cause analysis and provide a remediation plan or a reprovisioning obligation for the affected service or customer location(s). If the problem persists, the customer should have the option to terminate the affected service(s). The incumbent carrier should be obligated to continue to deliver the problematic service, including any access component, for at least 90 days without charge, and the incumbent should be obligated to support the transition to another carrier’s replacement service.

Carriers limit their damages to an amount equal to the affected services or the negotiated minimum commitment securing cover damages is a challenge. As with partial terminations, a realistic transition period for continued service and support in migrating to replacement services should be part of any remedy for the carrier’s material breach of the agreement.

Customer preferences on dispute resolution (litigation or arbitration) and venue should be negotiated. Mutual disclaimers on consequential damages are standard. Choice of law may be a greater concern for agreements with substantial international and foreign services. An informal billing dispute process that precedes formal dispute resolution is recommended, as carrier billing systems and processes are often problematic.

SLAs are the service warranties—implied warranties of fitness for a particular purpose and merchantability are disclaimed. An intellectual property warranty is not routinely offered to customers. The carriers’ agreements often do include an intellectual property indemnity and may include personal injury and property damage indemnities, all of which warrant review by enterprise counsel.

A confidential Information provision should encompass information relating to the customer’s traffic and usage levels, network design, and any consolidated list of enterprise locations, even if not marked “Confidential.” The customer information provided in RFPs to carriers should be included within the scope of this provision. The carrier will likely insist that the agreement and negotiated pricing be kept confidential.

A less-obvious consideration is what happens at contract expiration. For enterprises with hundreds of locations, transitions entail monetary costs and operational challenges.  Existing services must remain until replacement services are provisioned to customer locations.  Generally, installed services remain in use until orders to disconnect are placed with the lame-duck carrier, but negotiated rates routinely revert to that carrier’s standard pricing schedule rates—increasing 50% or more at contract expiration. Thus, a clause is warranted to ensure reasonable end-of-contract transition support and price stability (contract rates remain in effect) for a defined period.

The Business Deal

Negotiated rates and charges are lower than rates in carriers’ pricing schedules and, preferably, are expressed as fixed rates, rather than percentage discounts of rates in pricing schedules. Carriers acknowledged negotiated rates take precedence over rates in pricing schedules. Non-recurring charges, principally provisioning costs, are often waived if the services remain in place for a defined period.

Carriers do not push aggressively for “exclusive service provider status.”  Customer preferences for an accountable service provider (or “one throat to choke”) and the integrated nature of enterprise voice and data services, coupled with the minimum expenditure commitment (either per year or for the contract term) often deliver a satisfactory outcome for a carrier. A customer’s failure to meet their minimum commitment typically triggers a shortfall payment obligation.

There are two other noteworthy pricing related provisions: (1) as noted above, a pricing review clause that requires at least one pricing review during a three-year term that allows the customer to call upon a reputable pricing consultant to assist in keeping rates at current market levels; and (2) a “business downturn” provision. This provision mitigates the risk of a substantial shortfall payment when a customer projects they are unlikely to meet their minimum expenditure commitment due to business slow-downs or a business unit sale or divestiture.

Other relevant non-pricing provisions are a customer option for one or two one-year renewal terms, as noted above; a technology review/upgrade clause, though drafting such a provision can be a challenge; and an account team support clause to ensure regular communications between enterprise staff and responsible carrier account team members.

© 2020 Keller and Heckman LLP
For more articles on enterprise telecommunications services agreements, visit the National Law Review Communications, Media & Internet section.

CNIL Fines Google and Amazon 135 Million Euros for Alleged Cookie Violations

On December 10, 2020, the French Data Protection Authority (the “CNIL”) announced that it has levied fines of €60 million on Google LLC and €40 million on Google Ireland Limited under the French cookie rules for their alleged failure to (1) obtain the consent of users of the French version of Google’s search engine (google.fr) before setting advertising cookies on their devices; (2) provide users with adequate information about the use of cookies; and (3) implement a fully effective opt-out mechanism to enable users to refuse cookies. On the same date, the CNIL announced that it has levied a fine of €35 million on Amazon Europe Core under the same rules for its alleged failure to (1) obtain the consent of users of the amazon.fr site before setting advertising cookies on their devices; and (2) provide adequate information about the use of cookies.

Background

The French cookie rules are laid down in (1) Article 82 of the French Data Protection Act, which implements into French law the provisions of the EU ePrivacy Directive governing the use of cookies; and (2) soft law instruments aimed at guiding operators in implementing Article 82 of the French Data Protection Act in practice.

While the provisions of Article 82 of the French Data Protection Act have remained unchanged, the CNIL revised its soft law instruments to take into account the strengthened consent requirements of the EU General Data Protection Regulation (“GDPR”). On July 18, 2019, the CNIL published new guidelines on the use of cookies and similar technologies (the “Guidelines”). The Guidelines repealed the CNIL’s 2013 cookie recommendations that were no longer valid in light of the GDPR’s consent requirements. The Guidelines were to be complemented by recommendations on the practical modalities for obtaining users’ consent to set or read non-essential cookies and similar technologies on their devices (the “Recommendations”). On October 1, 2020, the CNIL published a revised version of its Guidelines and its final Recommendations. The CNIL announced that it would allow for a transition period of six months to comply with the new cookie law rules (i.e., until the end of March 2021), and that it would carry out inspections to enforce the new rules after that transition period. However, the CNIL made clear that it reserves the right to take action against certain infringements, especially in cases of particularly serious infringements of the right to privacy. In addition, the CNIL announced that it would continue to investigate infringements of the previous cookie law rules.

Against that background, on December 2019, March 6 and May 19, 2020, the CNIL carried out three remote inspections of the amazon.fr website and an onsite inspection at the premises of the French establishment of the Amazon group, Amazon Online France SAS. On March 16, 2020, the CNIL also carried out a remote inspection of the google.fr site. These inspections aimed to verify whether Google LLC and Google Ireland Limited and Amazon Europe Core complied with the French Data Protection Act, and in particular with its Article 82, when setting or reading non-essential cookies on the devices of users living in France who visited google.fr and amazon.fr websites. In its press releases, the CNIL stressed that its sanctions against Google and Amazon punished breaches of obligations that existed before the GDPR and are not part of the obligations clarified by the new Guidelines and Recommendations.

CNIL’s Jurisdiction Over Google Ireland Limited’s and Amazon Europe Core’s Cookie Practices

Google and Amazon challenged the jurisdiction of the CNIL arguing that (1) the cooperation mechanism of the GDPR (known as the one-stop-shop mechanism) should apply and the CNIL is not their lead supervisory authority for the purposes of that mechanism; and (2) their cookie practices do not fall within the territorial scope of the French Data Protection Act. Pursuant to Article 3 of the French Data Protection Act, it applies to the processing of personal data carried out in the context of the activities of an establishment of a data controller (or data processor) in France. In that respect, Amazon argued that its French establishment was not involved in the setting of cookies on the amazon.fr site and that there is no inextricable link between the activities of the French establishment and the setting of cookies by Amazon Europe Core, the Luxembourg affiliate of the Amazon group, responsible for the European Amazon websites, including the French site. Google argued that, because the one-stop-shop mechanism should apply, its Irish affiliate, Google Ireland Limited, is the actual headquarters of the Google group in Europe and thus its main establishment for the purposes of the one-stop-shop mechanism. Accordingly, the Irish Data Protection Commissioner would be the only competent supervisory authority.

Inapplicability of the One-Stop-Shop Mechanism of the GDPR

In the initial version of its Guidelines, the CNIL made clear that it may take any corrective measures and sanctions under Article 82 of the French Data Protection Act, independently of the GDPR’s cooperation and consistency mechanisms, because the French cookie rules are based on the EU ePrivacy Directive and not the GDPR. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon, considering that the EU ePrivacy Directive provides for its own mechanism, designed to implement and control its application. Accordingly, the CNIL concluded that the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive, as implemented under French law.

To prevent such a situation in the future and ensure consistent interpretation and enforcement of both sets of rules, the European Data Protection Board (the “EDPB”) has called for the GDPR’s cooperation and consistency mechanism to be used for the supervision of the future cookie rules under the ePrivacy Regulation, which will replace the ePrivacy Directive. The CNIL did not wish to pre-empt this future development, and applied the relevant texts literally in its cases against Google and Amazon.

CNIL’s Territorial Jurisdiction

 The CNIL, citing the rulings of the Court of Justice of the European Union in the Google Spain and Wirtschaftsakademie cases, took the view that the use of cookies on the French site (google.fr and amazon.fr respectively) was carried out in the context of the activities of the French establishment of the companies, because that establishment promotes their respective products and services in France.

Controllership Status of Google LLC

Following his investigation, the Rapporteur of the CNIL considered that Google Ireland Limited and Google LLC are joint controllers in respect of the processing consisting in accessing or storing information on the device of Google Search users living in France.

Google argued that Google Ireland Limited is solely responsible for those operations and that Google LLC is a processor. Google stressed that (1) its Irish affiliate participates in the various decision-making bodies and in the different stages of the decision-making process implemented by the group to define the characteristics of the cookies set on Google Search; and (2) differences exist between the cookies set on European users’ devices and those set on the devices of other users (e.g., shorter retention periods, no personalized ads served to children within the meaning of the GDPR, etc.), which demonstrate the decision-making autonomy of Google Ireland Limited.

In its decision, the CNIL found that Google LLC is also represented in the bodies that adopt decisions relating to the deployment of Google products within the European Economic Area and in Switzerland, and to the processing of personal data of users living in those regions. The CNIL also found that Google LLC exercises a decisive influence in those decision-making bodies. The CNIL further found that the differences in the cookie practices were just differences in implementation, mainly intended to comply with EU law. According to the CNIL, those differences do not affect the global advertising purpose for which the cookies are used. In the CNIL’s view, this purpose is also determined by Google LLC, and the differences invoked by Google are not sufficient to demonstrate the decision-making autonomy of Google Ireland Limited. In addition, the CNIL found that Google LLC also participates in the determination of the means of processing since Google LLC designs and builds the technology of cookies set on the European users’ devices. The CNIL concluded that Google LLC and Google Ireland Limited are joint controllers.

Cookie Violations

Setting of advertising cookies without obtaining the user’s prior consent

The CNIL’s inspection of the google.fr website revealed that, when users visited that site, seven cookies were automatically set on their device. Four of these cookies were advertising cookies.

In the case of Amazon, the investigation revealed that, whenever users first visited the home page of the amazon.fr website or visited the site after they clicked on an ad published on another site, more than 40 advertising cookies were automatically set on their device.

Since advertising cookies require users’ prior consent, the CNIL concluded that the companies failed to comply with the cookie consent requirement of Article 82 of the French Data Protection Act.

Lack of adequate information provided to users

When the CNIL inspected the google.fr website, the CNIL found that an information banner was displayed at the bottom of the page, with the following note: “Privacy reminder from Google,” and two buttons: “Remind me latter” and “Access now.” According to the CNIL, the banner did not provide users with information regarding the cookies that were already set on their device. Further, that information was also not immediately provided when users clicked on the “Access now” button. Google amended its cookie practices in September 2020. However, the CNIL found that the new pop-up window does not provide clear and complete information to users under Article 82 of the French Data Protection Act. In the CNIL’s view, the new pop-up window does not inform users of all the purposes of the cookies and the means available to them to refuse cookies. In particular, the CNIL found that the information provided to users does not enable them to understand the type of content and ads that may be personalized based on their behavior (e.g., whether this is geolocation-based advertising), the precise nature of the Google services that use personalization, and whether this personalization is carried out across different services. Further, the CNIL found that the terms “options” or “See more” in the new window are not explicit enough to enable users to understand how they can refuse cookies.

When inspecting the amazon.fr website, the CNIL found that the information provided to users was neither clear, nor complete. The cookie banner displayed on the site provided a general and approximate description of the purposes of the cookies (“to offer and improve our services”). Further, according to the CNIL, the “Read more” link included in the banner did not explain to users that they could refuse cookies, nor how to do so. The CNIL found that Amazon Europe Core’s failure to provide adequate information was even more obvious in the case of users visiting the site after they had clicked on an ad published on another site. In this case, no information was provided to them.

Opt-out mechanism partially defective

In the case of Google, the CNIL also found that, when a user deactivated the ad personalization on Google Search by using the mechanism available from the “Access now” button, one of the advertising cookies was still stored on the user’s device and kept reading information destined for the server to which the cookie was attached. The CNIL concluded that the opt-out mechanism was partially defective.

CNIL’s Sanctions

In setting the fines in both cases, the CNIL took into account the seriousness of the breaches of Article 82 of the French Data Protection Act, the high number of users affected by those breaches, and the financial benefits deriving from the advertising income indirectly generated from the data collected by the advertising cookies. Interestingly, in the case of Google, the CNIL cited a decision of the French Competition Authority and referred to Google’s dominant position in the online search market.

In both cases, the CNIL noted that the companies amended their cookie practices in September 2020 and stopped automatically setting advertising cookies. However, the CNIL found that the new information provided to users is still not adequate. Accordingly, the CNIL ordered the three companies to provide adequate information to users about the use of cookies on their respective sites. The CNIL also ordered a periodic penalty payment of €100,000 (i.e., the maximum amount permitted under the French Data Protection Act) for each day of delay in complying with the injunction, commencing three months following notification of the CNIL’s decision in each case.

The CNIL addressed its decisions to the French establishment of the companies in order to enforce these decisions. The companies have four months to appeal the respective decision before France’s highest administrative court (Conseil d’Etat).

Read the CNIL’s decision against Google LLC and Google Ireland Limited and the CNIL’s decision against Amazon Europe Core (currently available only in French).

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.

 

ARTICLE BY Hunton Andrews Kurth’s Privacy and Cybersecurity

 

For more articles on Google, visit the National Law Review Communications, Media & Internet section.

Pardon My Drone

If we think about drones, we probably think about remote controlled assassination machines manned by the Mossad or “fly-through” tours of the homes of the rich and famous.  What we (or at least I) didn’t think about were artificially intelligent police drones that can be sent out by 911 dispatchers to the scene of the crime and follow the bad guys around until they do something they can be arrested for.  At least four U.S. cities currently use these remotely-controlled – and self-controlled – investigation tools. No more out-of-shape cops trying to climb chain link fences in hot pursuit of more fit criminals!  Hill Street Drones.

Drones use is now exploding in creativity. “Dehogifier” drones with heat sensors will tell you when wild hogs are destroying your crops. The Spotify Party Drone hovers over you in line at festivals to play your favorite songs. Russia and China are using drones disguised as birds.

Which started me thinking.  Now that smart drones have utterly transformed warfare and policing, not to mention real estate, what’s next? I have ideas:

  • Gecko Cam: GEICO Insurance customers are astounded to see their rates increase after the insurance carrier famous for its British spokeslizard deploys smart drones to watch your driving habits.  No word whether they will be disguised as pterodactyls or flying dragon lizards.  GEICO’s got you covered.
  • The Daddy Drone: Helicopter parenting is so 2000.  Just program the Daddy Drone with your daughter’s favorite haunts and voila! No need to prowl the neighborhood with your lights off or to wake up her BFF’s parents to cross-check her alibi. Integrate with Alexa or Siri and you can ground your kid from the comfort of your bed in a variety of celebrity voices!
  • Poli-Sci Fi: Did your favorite candidate just narrowly lose an election?  Are you a civic-minded soul who just wants every legal vote counted (as long as it was for your candidate)?  Well, no need to stand around all day in costume and argue with your neighbors; let your drone do the dirty work.  Available in red, white and blue.
  • Karen Camera: Are you tired of enforcing the homeowner association rules from your minivan?  Have you been assaulted by threatening bird watchers and need the proof before calling 911?  Smile, you’re on Karen Camera!
  • The Gym Rat: Who didn’t wipe down the elliptical?  Who left those wet towels all over the locker room?  You did and we can prove it.  Your gym membership just became a little more expensive.  Feel the burn.
Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles on drones, visit the National Law Review Communications, Media & Internet section.

ICE COLD MOVE: US Government Warns of Cybercriminals Targeting Cold Supply Chain for COVID-19 Vaccine

No supply chain is immune from cyberattacks.  This includes, unfortunately, in regards to the COVID-19 vaccine.

Yesterday the US Homeland Security Department issued a warning that a series of cyberattacks is underway aimed at the companies and government organizations that will be distributing coronavirus vaccines around the world.  Specifically, the attacks target the COVID-19 cold chain (an integral part of delivering and storing a vaccine at safe temperatures).

The warning cautions that “[i]mpersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials.  The emails have been posed as requests for quotations for participation in a vaccine program.”  It is unclear at this time whether these attacks are for purposes of stealing the technology for keeping the vaccines refrigerated in transit or for sabotaging distribution of the vaccine.

Josh Corman, the chief strategist for healthcare at the US Cybersecurity and Infrastructure Security Agency (“CISA”) commented that this underscored the need for all “all organizations involved in vaccine storage and transport to harden attack surfaces, particularly in cold storage operation, and remain vigilant against all activity in this space.”

Although this warning was specific to the COVID cold supply chain, all organizations should take note as the core strategies utilized by cybercriminals cut across industries.

© Copyright 2020 Squire Patton Boggs (US) LLP
For more articles on cybercrime, visit the National Law Review Corporate & Business Organizations section.

What’s “So” Important: Computer Fraud and Abuse Act Gets a Close Look from SCOTUS

In a case with significant ramifications for employers concerned with protecting sensitive information, and for employees accused of abusing access to computer networks, the United States Supreme Court (“SCOTUS”) heard oral argument this week in Van Buren v. United States, No. 19-783, a case from the Court of Appeals for the Eleventh Circuit that will require interpretation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030.  The argument was lively.  All of the Justices asked questions, and several expressed concern about vagueness in the CFAA’s definition of covered activity.  Much of the discussion centered on an alleged “parade of horribles,” and on the meaning of the word “so.”  We expect a relatively prompt decision.  Time will tell what SCOTUS will decide, but we would not be surprised to see a reversal and remand.

The CFAA has been a useful litigation tool for employers when confidential or other sensitive information accessed via computer is misappropriated, misused, or otherwise compromised. The CFAA generally prohibits obtaining sensitive information from a computer without authorization, or by exceeding authorized access, and, importantly, confers federal jurisdiction.  While it is a criminal statute, it also provides for a private right of action for those damaged by certain violations.  The issue now before SCOTUS in Van Buren is whether the CFAA is violated when someone with authorized access obtains information for an unauthorized purpose.  For example, when an employee who is authorized to access and use the employer’s computer-stored customer information for business purposes downloads the information to a thumb drive and shares it with a potential new employer, s/he plainly violates company policy.  But does s/he run afoul of the CFAA? Over time, a Circuit split has developed regarding this issue.

Van Buren is a criminal case in which Petitioner Nathan Van Buren, a police sergeant in Cumming, Georgia, was convicted of violating the CFAA.  The Eleventh Circuit affirmed his conviction and SCOTUS granted certiorari.  Briefly stated, as part of his duties Van Buren was granted authorized access to a database containing license plate and vehicle registration information maintained by the Georgia Crime Information Center (“GCIC”).  Training materials supplied to those with access to the GCIC database quite reasonably prohibit use of the database for personal purposes.  However, in return for cash payments, Van Buren agreed to, and did, use his authorized GCIC username and password to access a woman’s license and registration information in order to learn personal information about her on behalf of another individual.  There is no dispute that such use was not within the GCIC guidelines for authorized use. Accordingly, Van Buren used his authorized access to the GCIC database for an unauthorized purpose.  He was charged with, among other things, violating the CFAA.  He was convicted of the CFAA violation, sentenced to 18 months in prison, and he appealed.  The Eleventh Circuit court upheld the conviction, holding, based on precedent within the Circuit, that the unauthorized use of authorized access does constitute a violation of the CFAA.

Because Van Buren was not an outsider or other unauthorized user hacking into the GCIC database, his conviction under the CFAA turns on application of the facts to the CFAA’s prohibition on “exceeding authorized access.” The CFAA defines “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  18 U.S.C. 1030(e)(6) (emphasis added).  Generally, the First, Fifth, Seventh and Eleventh Circuits construe the definition broadly, finding CFAA violations against employees, for example, who access information they are entitled to obtain for certain purposes, but do so for unauthorized uses.  In other words, courts in those Circuits tend to focus on the purposes of authorized access and require computer users to stay within those purposes in order to avoid violations of the CFAA.  This interpretation would allow an employer to bring an action under the CFAA against an employee who, for example, misappropriates sensitive business information s/he was entitled to access as part of his or her job for use with a subsequent employer.  The Second, Fourth and Ninth Circuits, on the other hand, favor a narrower interpretation, in which there is no violation unless the accessed information at issue is, itself, not information the user is entitled to obtain or access at all.  Under that construction, an employee who obtains information from a database s/he is not otherwise permitted to use (e.g. restricted Human Resources information by someone not within the permitted sphere) would violate the CFAA while someone who misuses information s/he is otherwise entitled to access would not.

Van Buren is the first case to present the issue to SCOTUS.  Petitioner, with robust amici support from organizations like Reporters Committee for Freedom of the Press, National Whistleblower Center and technology companies, largely focused his arguments on the dangers of a “parade of horribles” that could arise from the broader interpretation. (See, e.g., Oral Argument at 8).  Petitioner posited that, for example, computer users who check Instagram on their work computers in violation of their employer’s computer use policies, or those who inflate their characteristics on a dating site, in violation of the stated terms of use of such sites, could be guilty of a federal crime should the Government choose to prosecute.  (Oral Argument 4, 22).  He argued that the CFAA is impermissibly vague and that any changes should be left to Congress.

The Government’s position that the CFAA should be broadly read was also supported by several amici, including the Electronic Privacy Information Center and the Digital Justice Foundation.  The Government contended that, pursuant to the definition, a user “exceeds authorized access” by accessing information that s/he did not have a right to access in the particular manner or circumstances used.  Thus, Van Buren violated the CFAA, according to the Government’s position, because he accessed the GCIC under circumstances other than for law enforcement purposes.  As part of its argument, the Government closely examined the meaning of the word “so” in the definition of “exceeds authorized access,” and contended that a person is “entitled so” to do something only when s/he has a right to do it in the particular manner or circumstance authorized.  Brief for the United States at 13.  Van Buren, on the other hand, contended that “so” refers only to “access[ing] a computer with authorization” such that an individual does not “exceed authorized access” if entitled to access the database in question at all. (Oral Argument at 21).

The questions from the Justices during oral argument closely followed those competing themes, further discussing the proper construction of the word “so,” and examining whether some of the more innocuous-sounding activities would actually constitute violations of the CFAA under the broader construction.  Some expressed concern about the privacy of the public if the CFAA is not construed to encompass, for example, government employees reviewing private information for purposes other than those called for in their jobs.  Oral Argument at 14.  Based on the overall tenor of the argument, SCOTUS may be prepared to agree with the more narrow interpretation currently favored by the Second, Fourth and Ninth Circuits, and to overturn Van Buren’s criminal conviction that turned on the broader interpretation. In any case, we will watch for a decision.

We observe use of the CFAA in civil cases to already be diminished in the last four years.  Passage of the Defense of Trade Secrets provides access to federal courts in circumstances where the CFAA was used to create federal jurisdiction.  And as explained above, use of the CFAA in such cases has been curtailed in several Circuits. It will be interesting to see whether the SCOTUS decision in Van Buren further restricts its utility.

©2020 Epstein Becker & Green, P.C. All rights reserved.
For more articles on computer fraud, visit the National Law Review Litigation / Trial Practice section.

New U.K. Competition Unit to Focus on Facebook and Google, and Protecting News Publishers

You know your company has tremendous market power when an agency is created just to watch you.

That’s practically what has happened in the U.K. where the Competition and Markets Authority (CMA) has increased oversight of ad-driven digital platforms, namely Facebook and Google, by establishing a dedicated Digital Markets Unit (DMU). While it was created to enforce new laws to govern any platform that dominates their respective market, when the new unit starts operating in April 2021 Facebook and Google will get its full attention.

The CMA says the intention of the unit is to “give consumers more choice and control over their data, help small businesses thrive, and ensure news outlets are not forced out by their bigger rivals.” While acknowledging the “huge benefits” these platforms offer businesses and society, helping people stay in touch and share creative content, and helping companies advertise their services, the CMA noted the growing concern that the concentration of market power among so few companies is hurting growth in the tech sector, reducing innovation and “potentially” having negative effects on their individual and business customers.

The CMA said a new code and the DMU will help ensure that the platforms are not forcing unfair terms on businesses, specifically mentioning “news publishers” and the goal of “helping enhance the sustainability of high-quality online journalism and news publishing.”

The unit will have the power to suspend, block and reverse the companies’ decisions, order them to comply with the law, and fine them.

The devil will be in the details of what the new code will require, and questions remain about what specific conduct the DMU will target and what actions it will take. Will it require the companies to pay license fees to publishers for presenting previews of their content? Will the unit reduce the user data the companies may access, something that would threaten their ad revenue? Will Facebook and Google have to share data with competitors? We will learn more when the code is drafted and when the DMU begins work in April.

Once again a European nation has taken the lead on the global stage to control the downsides of technologies and platforms that have transformed how people communicate and get their news, and how companies reach them to promote their products. With the U.S. deadlocked on so many policy matters, change in the U.S. appears most likely to come as the result of litigation, such as the Department of Justice’s suit against Google, the FTC’s anticipated suit against Facebook, and private antitrust actions brought by companies and individuals.

Edited by Tom Hagy for MoginRubin LLP.

© MoginRubin LLP
ARTICLE BY Mogin Rubin
For more articles on Google, visit the National Law Review  Communications, Media & Internet section,

You Took a PPP Loan. Now Get Ready to Talk About It.

Late on Tuesday, December 1, The U.S. Small Business Administration released detailed information about the borrowers who received loans from the federal government’s $659 billion Paycheck Protection and Economic Injury Disaster Loans Program.  The information released includes the names, precise amounts, addresses, industry codes, and lender information for the COVID-19 relief program’s roughly 5.2 million loans. The SBA had previously only released detailed information for loans above $150,000 and with dollar ranges rather than specified loan amounts.  A searchable database is located here.

Did your company, or perhaps one of your clients, apply for and accept a business loan from the Paycheck Protection Program (PPP) established by the US Federal government’s Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help certain businesses, self-employed workers, sole proprietors, nonprofit organizations and tribal businesses continue paying their workers ?  If so, you must be prepared to answer questions about your acceptance of that loan if asked about it.

We have two former journalists on our staff.  Thom Fladung, our managing partner, is the former managing editor of Detroit Free Press, The Plain Dealer and the Akron Beacon Journal.  Before coming to Hennes Communications, Howard Fencl ran TV newsrooms for more than 20 years.  Both agree that once the loan recipient information goes up on a searchable, public database, it will immediately become “low-hanging fruit,” with news editors sending reporters out to do follow-up stories about who took what, how much and why.

Frankly, we don’t have any problem with this disclosure.  The SBA routinely makes public information about the dollars loaned to small businesses, so why should PPP dollars, disbursed from the U.S. Treasury Department, be any different?

What’s different this time is the sheer size of the PPP program and the fact that an extraordinary number of companies and professional service firms – and their clients – received these “forgivable loans,” in some cases worth multi-millions of dollars, as did a wide variety of schools and other organizations with large endowments.

While there are scores of reasons – all 100% legal and ethical – why a law firm or other organization took a PPP loan, crisis management specialists know that optics often overshadow facts.  And it isn’t just reporters who will shine a spotlight on loan recipients.  Social media activists may also seek to highlight businesses and organizations in the community that received the dollars – with a direct or implied demand for justification.

If your company or client’s business applied for and accepted PPP dollars in good faith, you must be prepared to defend the loan if questioned by the media or other stakeholders – without looking defensive.

As our good friend, Richard Levick, has said repeatedly, “Use peacetime wisely.”  Levick recently suggested making sure you’re ready to answer such questions as:

  • Did you easily fall within the PPP guidelines or did you have to manipulate the rules to fit?
  • Exactly how was the money used?
  • Did you have access to other funds?
  • Specifically for schools, what has been your historic commitment to scholarships, diversity and economically disadvantaged students? What would the absence of PPP money mean for the future of these programs?
  • How do you currently support your community and the small businesses within it?

Levick further suggested that companies and organizations that come across more sympathetically in this equation will more easily deflect criticism than those who appear to have profited from this stimulus plan.

Now is the time to think about those optics, about how your partners, clients, employees, customers, friends – as well as traditional and social media outlets – are going to think when they find out how much you received.

We are not recommending spin.  We’re talking, instead, of the exact opposite – transparency. If you took the dollars, we’re suggesting the creation of clear, succinct, direct messages and talking points that answer the questions most likely to be asked.

Additionally, once these questions are asked, you’ll probably have just minutes to provide an answer to reporters who are on deadline or social media speculation that will increase by the moment.

© 2020 Hennes Communications. All rights reserved.
For more articles on the legal industry, visit the National Law Review Law Office Management section.