Category: Communication Media & Internet

Leveraging Your Microsoft Assets in this Remote Access World

The COVID-19 pandemic has led to an enormous increase in remote work. Organizations without remote access capabilities have adapted and implemented new solutions, while organizations with existing solutions have been forced to evaluate new capacity requirements and scale their solutions accordingly. You may be surprised to learn that your existing Microsoft assets include functionalities for remote access, and you can get rid of redundant or more costly solutions. Your Microsoft subscription, license, operating system, software, service, etc. should all be reviewed in some capacity at this time.

“In recent years, Microsoft has made a multitude of investments and changes to its portfolio and offerings,” says Scott Riser, Director of Microsoft and Data Management Services at Plan B Technologies, Inc. (PBT). “Some of these changes are quickly noticed during renewals or annual reviews, such as Microsoft Server Operating Systems licensing. However, many changes have happened ‘in the background’ and could easily be missed by organizations,” Riser says. “Make sure you’re taking advantage of your existing Microsoft assets, and know your entitlements – especially now.”

Most of these changes go beyond the typical Microsoft portfolio of Office products and Operating Systems. Microsoft has placed significant focus in the areas of security, video and audio conferencing, VOIP, virtual desktop, artificial intelligence, and cloud computing. Many of these Microsoft assets, which are likely already in your organization, are gaining additional functionality for your remote workforce. This can be done with minimal management overhead and reduced implementation costs over competitive third parties. So how do you ensure that your organization is properly leveraging its current Microsoft assets?

Know What You Have

Leveraging Microsoft assets to the fullest starts with knowing what your organization has purchased, and to what it is entitled. This goes beyond Microsoft assets alone and a full inventory of software, services, and features within your environment should be performed sooner rather than later. This full evaluation serves three purposes. First is that of an internal audit to ensure your organization has the proper number of licenses for each product and to correct licensing infractions before you incur hefty true-up costs or additional licensing fees. The second purpose is educational, as it provides technical staff and administration an understanding of the entitlements each software or service provides. This is particularly valuable since Microsoft 365 cloud subscriptions now include licenses for some on-premise systems. The third purpose of this evaluation is to identify overlaps in features and functionality among products to lower costs, simplify management of the environment, and promote productivity.

Failure to perform a review of current entitlements can result in a significant overspend and an overly complicated environment that is more difficult to manage. For example, your organization could be using a third-party Multi-Factor Authentication (MFA) provider when an already purchased Microsoft subscription has MFA built in, or you may have purchased an MDM solution that overlaps with an existing entitlement to System Center and Windows Intune.

With information from these internal audits, organizations are better suited to make impactful decisions while controlling cost. Once your organization understands what it is entitled to within your existing environment, you must then determine situational awareness for future planning and sustainability. Items that should be included in planning for the future include (but are not limited to) security, management, user workflow and communication.

Secure the Environment

If your workforce is now remote, has your organizational data gone remote as well? Now that most organizations have been required to provide users with remote access, either through Virtual Desktop infrastructure (VDI), cloud-based applications or internet portals, the attack surface for exploitation by bad actors has never been larger. This puts organizations at greater risk of a security breach. Knowing this, Microsoft has invested billions of dollars to protect their product offerings and combat cyber criminals.

Microsoft now has a full portfolio of security offerings, and buildings full of teams dedicated to securing their services and platforms as well as assisting criminal investigations. User identity has become the new perimeter for data as organizations move to cloud-based technologies and a remote workforce. This has been the case for years as VPNs and firewalls have limited preventive impact when a bad actor has credentials to access them. Microsoft has been active in making user identity more secure with easily implemented tools and access policies while also integrating artificial intelligence and improved reporting. These products and features include Windows Hello, Azure Multifactor Authentication, Conditional Access, Credential Guard, and User Sign-in Risk Reporting/Alerting amongst others.

Identity of course is only one attack vector that can be exploited. Therefore, it is essential to secure end user devices and the infrastructure where data is located. Microsoft Defender and Advanced Threat Protection (ATP) is ideally suited to protect servers and end user devices when implemented properly. Plus, it’s included in many Microsoft 365 subscriptions.

“In the past, Defender has received a stigma of being unreliable and faulty,” says Scott Riser, “but Defender has since become one of the most reliable pieces of security software available today. Why? According to Microsoft, over 1 billion devices are currently running the Windows 10 operating system, providing trillions of telemetry data points to continuously improve all Microsoft security services. And as a result, Microsoft has the largest security footprint in the world.”

The data provided by Defender from these devices is reported to artificial intelligence algorithms as well as Microsoft security teams to patch security flaws and update anti-virus definitions at unparalleled levels in the industry. It is also important to note that Microsoft Server Operating systems utilize Defender and the Defender platform can be upgraded to Defender ATP software to enhance built-in capabilities and provide additional security for on-premise data.

With an increasingly remote workforce, many organizations have moved their data to Exchange Online, SharePoint Online, and OneDrive for Business. Microsoft has built-in security solutions for these platforms as well. Depending on the Microsoft subscription that you’ve purchased, Exchange Online Protection, Azure Information Protection, Microsoft Advanced Threat Protection and Azure Advanced Threat Protection, can all be utilized to secure data stored in these locations. Furthermore, Microsoft understands that some organizations require more control over their data and systems in Infrastructure as a Service solutions such as Azure and AWS. For this, a combination of Defender ATP and Azure Sentinel can provide real time analytics and automated responses for detected breaches based on custom workbooks in a pay-as-you-go model.

All these security measures protect against bad actors attempting to breach an organization’s data. This of course does not protect an organization from internal threats, such as disgruntled employees or the inevitable human error. Organizations must now secure data from exfiltration which is not as simple as preventing all data from leaving the organization. The problem is more nuanced. A full lockdown, though simpler, would prevent your organization from essential collaboration with its staff and clients. Failing to protect data internally may result in proprietary data inadvertently shared with a client, or competitor, or being lost entirely. In healthcare and financial services, it can result in a loss of personal identifiable data, or banking information, which carry hefty fines from regulatory bodies.

Microsoft Data Loss Prevention (DLP) is the solution to this issue. With DLP, custom policies can be defined by an organization to determine data that should not leave the organization. It can also remind a user to review data being sent as it could possibly be confidential. DLP continues to gain traction in Microsoft 365 settings as the need to protect cloud-based collaboration platforms such as Teams and OneDrive grows. DLP can also be implemented in some areas of on-premise infrastructure. Exchange has built-in DLP features that often go overlooked. Organizations tend to use Mimecast, Proofpoint, and other third-party vendors for these solutions while the built-in functionality remains unconfigured.

Device Management and Compliance

Another challenge of a remote workforce is the ability to maintain and manage devices, both corporate-owned and user-owned. Multiple organizations have made significant investments in System Center Configuration Manager (SCCM), only to find that policies and updates have not applied to end user devices unless they are on the network or connected via a VPN. Organizations can expand their SCCM environment to include cloud distribution and management points for devices that are not on-premise.  But this is not always an ideal solution as it requires additional infrastructure and configuration with SCCM. This has led to a rise in the use of Mobile Device Management and Mobile Application Management solutions such as Microsoft Intune. Through co-management, organizations can continue to utilize SCCM in conjunction with Intune for management of all devices regardless of corporate connectivity. This was further emphasized by the recent integration of the license offerings to provide Intune subscriptions for those with SCCM Client licensing and vice versa.

Collaboration and Communication

Securing and managing a remote work environment is important but ensuring users can communicate and collaborate on work that was previously performed in the office is one of, if not the biggest, challenges. Daily interactions between corporate users should be considered since the ability for face to face interaction through office meetings, business lunches, and other personal touches has significantly declined. These interactions are now being held through chat programs and conference calls. External communication is one of the primary reasons that Microsoft is still considered the industry leader for collaboration software with many companies utilizing the Microsoft Office suite.

A frequently overlooked solution included in your Microsoft 365 subscription is Microsoft Teams which provides instant messaging, document collaboration and audio/video teleconferencing. Furthermore, Microsoft Teams is integrated with and supported by other Microsoft products. It’s also governed by Advanced Threat Protection and Data Loss Prevention services to provide a more secure platform than its competitors with minimal (if any) additional investment. Microsoft Office can be customized based on the needs of the user and can easily be secured and managed when used in combination with other Microsoft offerings.

Getting the Results

Challenges continue to present themselves as users work remotely and organizations refine how they operate. With a vast majority of organizations utilizing Microsoft products in some way, it is important that entitlements are understood to reduce costs and complexities. Organizations can improve their return on investment (ROI) or make new investments once this is understood. Leveraging Microsoft service offerings can be optimized beyond the traditional use of Office products and Operating Systems, to provide a secure, managed, agile, and accessible environment for users regardless of their location. The result will be a streamlined, cost effective, collaborative environment that strengthens your organization’s bottom line.

© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on technological solutions for law firms and other industries, see the National Law Review Law Office Management section.

3 Cyberattacks and 3 Practical Measures Lawyers Can Take to Protect Themselves

Hackers are targeting lawyers with cyberattacks, and coronavirus is making things worse. With the recent Covid-19 pandemic and the resultant remote work, hackers are exploiting lawyers with even greater intensity. The ABA Journal recently reported that “scams multiply during the COVID crisis.”

The Top 3 Cyber Attacks Targeting Law Firms

You’re probably displaced from your usual working space and feeling out of whack. That sets the stage for hackers to advantage of the confusion — and your home computer setup. You need to know the traits of the most common cyberthreats so you can identify a scam.

1. Phishing Email Scams

Hackers send phishing emails that impersonate a legit sender and fool the recipient into giving up information. Most phishing scams trick their victims into clicking on malicious URLs. These phishing links redirect the victim to fake sites — most commonly, the spoofed login pages to Office 365 and online baking — and capture their username and password. Now that the hacker has these credentials, they can legitimately access confidential data or withdraw funds.

In 2018, nearly 80% of law firms experienced phishing attacks, according to security research firm Osterman Research. As COVID-19 increases anxiety and the amount of emails in your inbox, hackers have taken advantage. In mid-March 2020, right as COVID-19 ramped up in the United States, hackers purported to be the World Health Organization (WHO). The phishing email asked the victim to open an attachment containing official information on protecting yourself from the coronavirus. Little did they know that opening this attachment downloaded a keystroke logger that records what’s being typed. Keystroke logging is typically used to capture even more login credentials so the hacker can access as many sites and services as possible.

For further details, learn how viral coronavirus scams are attacking computers and smartphones.

2. Ransomware

Ransomeware is one of four of the biggest cybersecurity risks law firms face according to Law Technology Today. This cyberattack is a type of malware that, once installed, denies access to a computer system or data. Typically, email attachments, “malvertising”, or drive-by downloads install ransomware onto devices. To regain access to the compromised device, the victim must wire funds to the hacker. Even if the ransom is paid, it’s not guaranteed that the hackers will restore system access.

3. Data Breaches

Data breaches result in the loss of confidential data or the unauthorized access of that data. They occur after hackers execute a successful phishing or ransomware attack, which are common entry point of a data breach. The loss of this data could have devastating consequences on a law firm. If clients feel that their privacy was violated in the breach, they might sue.

3 Practical Cyberthreat Solutions Law Firms

Law firms can take several practical measures to protect their systems and data. Safeguarding identity and access, encrypting data, and investing in cybersecurity software (if possible) for anti-phishing and anti-malware will lower the risk of a successful cyberattack.

1. Encrypt Data

Lawyers rely on email and document sharing to run their firm. As these documents and communications travel across the internet, they can be intercepted. But when data is encrypted, it is substantially harder for a hacker to intercept. A VPN (Virtual Private Network) encrypts data in a cost-effective, non-intrusive, and reliable way. Creating a secure “tunnel” between your computer and the internet, VPNs protect data using 256-bit encryption. This protocol is so secure that banks and the U.S. government use it to protect classified data.

2. Use Two-Factor Authentication (2FA)

If you’re in the 50% of people who use the same passwords for personal and work accounts, then take note. Weak and reused passwords increase your chances of experiencing a cyberattack. 2FA adds protection to your username and password, making it much harder to compromise your credentials. Think of 2FA as a dynamic, time-sensitive, secondary password.

2FA uses a password alongside a second one-time passcode that is sent to the employee’s device. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire. If codes are not used, then biometric authentication such as a retina or fingerprint scan provide the second factor.

3. Investing in Intelligent IT systems

When dealing with high volumes of very confidential data, you can never be too confident of your online security. The odds are not in your favor: one in four organizations in the US will be breached. And recovering from a breach is pricy. Law firms lose, on average, $4.62 million dollars every data breach. If you worry about the expense of cybersecurity solutions, remember that other number.

You can spend money on anti-phishing, anti-malware, and data loss prevention tools. Or you can not spend the money and risk having to pay a ransom, deal with legal fees, reputational damage, and more. Although it’s a tough pill to swallow in the current economic landscape, preventative security is cheaper than dealing with a breach.

If you cannot afford a cybersecurity system at this time, just update your software whenever you receive a notification. This is the easiest and quickest way to secure your systems. Software updates come with security fixes that will patch any vulnerabilities in your system. Hackers are known to exploit old/known vulnerabilities. Take the time to vet your network or cloud service providers to see what precautions they have to protect your firm from cybercriminals.

You Must Anticipate Cyberattacks on Your Firm 

Law firms possess sensitive data that hackers would love to leverage. Using intelligent IT systems, updating software, encrypting data, and setting up two-factor authentication are the most effective ways that lawyers can protect their data while working remotely during the COVID-19 lockdown.

© Copyright 2020 PracticePanther

ARTICLE BY PracticePanther.
For more legal tech considerations, see the National Law Review Law Office Management section.

Patentablity of COVID19 Software Inventions: Artificial Intelligence (AI), Data Storage & Blockchain

The  Coronavirus pandemic revved up previously scarce funding for scientific research.  Part one of this series addressed the patentability of COVID-19 related Biotech, Pharma & Personal Protective Equipment (PPE) Inventions and whether inventions related to fighting COVID-19  should be patentable.  Both economists and lawmakers are critical of the exclusivity period granted by patents, especially in the case of vaccines and drugs.  Recently, several members of Congress requested “no exclusivity” for any “COVID-19 vaccine, drug, or other therapeutic.”[i]

In this segment, the unique issues related to the intellectual property rights of Coronavirus related software inventions, specifically, Artificial Intelligence (AI), Data Storage & Blockchain are addressed.

Digital Innovations

Historically, Americans have adhered to personalized healthcare and lacked the incentive to set up a digital infrastructure similar to Taiwan’s which has fared far better in combating the spread of a fast-moving virus.[ii]  But as hospitals continue to operate at maximum capacity and with prolonged social distancing, the software sector is teeming with digital solutions for increasing the virtual supply of healthcare to a wider network of patients,[iii] particularly as HHS scales back HIPAA regulations.[iv]  COVID-19 has also spurred other types of digital innovation, such as using AI to predict the next outbreak and electronic hospital bed management, etc.[v]

One area of particular interest is the use of blockchain and data storage in a COVID/post-COVID world.  Blockchains can serve as secure ledgers for the global supply of medical equipment, including respirators, ventilators, dialysis machines, and oxygen masks.[vi]  The Department of Homeland Security has also deemed blockchain managers in food and agricultural distribution as “critical infrastructure workers”.[vii]

Patentability

Many of these digital inventions will have a hard time with respect to patentability, especially those related to data storage such as blockchains.  In 2014, the Supreme Court found computer-related inventions were “abstract ideas” ineligible for patent protection in Alice v. CLS Bank.[viii]  Because computer-implemented programs execute steps that can theoretically be performed by a human being but are only automated by a machine, the Supreme Court concluded that patenting software would be patenting human activity.  This type of patent protection has long been considered by the Court to be too broad and dangerous.

Confusion

The aftermath of Alice is widespread confusion amongst members of the patent bar as well as the USPTO as to how computer-related software patents were to be treated henceforth.[ix]   The USPTO attempted to clarify some of this confusion by a series of Guidelines in 2019.[x]  Although well-received by the IP community, the USPTO’s Guidelines are not binding outside of the agency, meaning they are have little dispositive effect when parties must bring their cases to the Federal Circuit and other courts.[xi]  Indeed, the Federal Circuit has made clear that they are not bound by the USPTO’s guidance.[xii]  The Supreme Court will not provide further clarification and denied cert on all patent eligibility petitions in January of this year.[xiii]

The Future

Before the coronavirus outbreak, Congress was working on patent reform.[xiv]  But the long-awaited legislation was set aside further still as legislators focused on needed measures to address the pandemic.  On top of that, both Senator Tillis and Senator Coons who have spearheaded the efforts for patent reform are now facing reelection battles, making the future congressional leadership on patent reform uncertain.

Conclusion

Patents receive a lot of flak for being company assets, and like many assets, patents are subject to abuse.[xv]  But patents are necessary for innovation, particularly for small and medium-sized companies by carving out a safe haven in the marketplace from the encroachment of larger companies.[xvi]  American leadership in medical innovations had been declining for some time prior to the pandemic[xvii] due to the cumbersome US regulatory and legal environments, particularly for tech start-ups seeking private funding.[xviii]

Not all data storage systems should receive a patent and no vaccine should receive a patent so broad that it snuffs out public access to alternatives.  The USPTO considers novelty, obviousness and breadth when dispensing patent exclusivity, and they revisit the issue of patent validity downstream with inter partes review.  There are measures in place for ensuring good patents so let that system take its course.  A sweeping prohibition of patents is not the right answer.

The opinions stated herein are the sole opinions of the author and do not reflect the views or opinions of the National Law Review or any of its affiliates

[i] Congressional Progressive Leaders Announce Principles On COVID-19 Drug Pricing for Next Coronavirus Response Package, (2020), https://schakowsky.house.gov/media/press-releases/congressional-progressive-leaders-announce-principles-COVID-19-drug-pricing (last visited May 10, 2020).

[ii] Christina Farr, Why telemedicine has been such a bust so far, CNBC (June 30, 2018), https://www.cnbc.com/2018/06/29/why-telemedicine-is-a-bust.html and Nick Aspinwall, Taiwan Is Exporting Its Coronavirus Successes to the World, Foreign Policy (April 9, 2020), https://foreignpolicy.com/2020/04/09/taiwan-is-exporting-its-coronavirus-successes-to-the-world/.

[iii] Joe Harpaz, 5 Reasons Why Telehealth Is Here To Stay (COVID-19 And Beyond), Forbes (May 4, 2020), https://www.forbes.com/sites/joeharpaz/2020/05/04/5-reasons-why-telehealth-here-to-stay-COVID19/#7c4d941753fb.

[iv] Jessica Davis, OCR Lifts HIPAA Penalties for Telehealth Use During COVID-19, Health IT Security (March 18, 2020), https://healthitsecurity.com/news/ocr-lifts-hipaa-penalties-for-telehealth-use-during-COVID-19.

[v] Charles Alessi, The effect of the COVID-19 epidemic on health and care – is this a portent of the ‘new normal’?, HealthcareITNews (March 31, 2020), https://www.healthcareitnews.com/blog/europe/effect-COVID-19-epidemic-health-and-care-portent-new-normal and COVID-19 and AI: Tracking a Virus, Finding a Treatment, Wall Street Journal (April 17, 2020), https://www.wsj.com/podcasts/wsj-the-future-of-everything/COVID-19-and-ai-tracking-a-virus-finding-a-treatment/f064ac83-c202-40f9-8259-426780b36f2c.

[vi] Sara Castellenos, A Cryptocurrency Technology Finds New Use Tackling Coronavirus, Wall Street Journal (April 23, 2020), https://www.wsj.com/articles/a-cryptocurrency-technology-finds-new-use-tackling-coronavirus-11587675966?mod=article_inline.

[vii] Christopher C. Krebs, MEMORANDUM ON IDENTIFICATION OF ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS DURING COVID-19 RESPONSE, Cybersecurity and Infrastructure Security Agency (March 19, 2020), available at https://www.cisa.gov/sites/default/files/publications/CISA-Guidance-on-Essential-Critical-Infrastructure-Workers-1-20-508c.pdf.

[viii] Alice v. CLS Bank, 573 U.S. 208 (2014), available at https://www.supremecourt.gov/opinions/13pdf/13-298_7lh8.pdf.

[ix] David O. Taylor, Confusing Patent Eligibility, 84 Tenn. L. Rev. 157 (2016), available at https://scholar.smu.edu/cgi/viewcontent.cgi?article=1221&context=law_faculty.

[x] 2019 Revised Patent Subject Matter Eligibility Guidance, United States Patent Office (January 7, 2019), available at https://www.federalregister.gov/documents/2019/01/07/2018-28282/2019-revised-patent-subject-matter-eligibility-guidance.

[xi] Steve Brachmann, Latest CAFC Ruling in Cleveland Clinic Case Confirms That USPTO’s 101 Guidance Holds Little Weight, IPWatchDog (April 7, 2019), https://www.ipwatchdog.com/2019/04/07/latest-cafc-ruling-cleveland-clinic-confirms-uspto-101-guidance-holds-little-weight/id=107998/.

[xii] Id.

[xiii] U.S. Supreme Court Denies Pending Patent Eligibility Petitions, Holland and Knight LLP (January 14, 2020), https://www.jdsupra.com/legalnews/u-s-supreme-court-denies-pending-patent-55501/.

[xiv] Tillis and Coons: What We Learned At Patent Reform Hearings, (June 24, 2019), available at https://www.tillis.senate.gov/2019/6/tillis-and-coons-what-we-learned-at-patent-reform-hearings.

[xv] Gene Quinn, Twisting Facts to Capitalize on COVID-19 Tragedy: Fortress v. bioMerieux, IPWatchDog (March 18, 2020), https://www.ipwatchdog.com/2020/03/18/twisting-facts-capitalize-COVID-19-tragedy-fortress-v-biomerieux/id=119941/.

[xvi] Paul R. Michel, To prepare for the next pandemic, Congress should restore patent protections for diagnostic tests, Roll Call (April 28, 2020), https://www.rollcall.com/2020/04/28/to-prepare-for-the-next-pandemic-congress-should-restore-patent-protections-for-diagnostic-tests/.

[xvii] Medical Technology Innovation Scorecard_The race for global leadership, PwC (January 2011), https://www.pwc.com/il/en/pharmaceuticals/assets/innovation-scorecard.pdf.

[xviii] Elizabeth Snell, How Health Privacy Regulations Hinder Telehealth Adoption, HealthITSecurity (May 5, 2015),https://healthitsecurity.com/news/how-health-privacy-regulations-hinder-telehealth-adoption.

Copyright (C) GLOBAL IP Counselors, LLP

ARTICLE BY Wen Xie at Global IP Counselors.
For more on patentability, see the National Law Review Intellectual Property law section.

Jennifer Lopez Sued for Copyright Infringement

More and more often nowadays, celebrities are being sued for posting pictures of themselves on Instagram. While this does not make much sense to many of us, posting a picture on social media that you did not take without permission from the photographer can result in copyright infringement charges.

Actress and singer, Jennifer Lopez, is the latest celebrity to be hit with a copyright infringement suit. Lopez and her production company are being sued for over $150,000 in damages by photographer Steve Sands, who alleges that Lopez posted a photo taken by Sands on Instagram. Sands contends that Lopez and her production company did not license the photograph from Sands or have permission from Sands to post the photo.

While the average person may do something similar and get away with it, celebrities often will not, due to the significant number of likes the photo receives and the celebrity’s large number of social media followers. Some say celebrities post these images to brand themselves without permission from the taker of the photo.

This is not the first time Lopez has been sued for posting. Lopez was sued by Splash News and Picture Agency for $150,000 in October 2019, when she posted a photo taken by the company of her now fiancé, Alex Rodriguez, in her Instagram story in 2017. Splash News alleged they were the owner and exclusive copyright holder of the picture.

The Copyright Act protects the rights of Connecticut photographers by prohibiting others from using their photos for promotion without consent. However, there are exceptions that allow use of another’s photos in certain circumstances.

© 2020 by Raymond Law Group LLC.

FCC Subjects Robocallers and Caller Identification Fraudsters to Increased Penalties and Broader Enforcement

On May 1, 2020, the Federal Communications Commission (FCC) adopted rules to strengthen protections against robocalls and the manipulation of caller identification information to misrepresent the true identity of the caller (known as caller ID spoofing).1 The FCC’s amended rules, which implement portions of the recently-enacted Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), streamline the procedure for commencing enforcement actions against violators and expand the statute of limitations applicable to FCC proceedings against robocallers and caller ID spoofers2 (see GT Alert, TRACED Act Subjects Robocallers to Increased Penalties, Outlines Regulatory and Reporting Requirements to Deter Violations).

The FCC’s changes to its rules include the following:

  • Eliminating the requirement that the FCC issue a citation to a person or entity that violates prohibitions against robocalling before issuing a notice of apparent liability if the person or entity does not hold a license, permit, or other authorization issued by the FCC. As noted by FCC Chairman Ajit Pai in the news release accompanying the FCC’s Order: “Robocall scam operators don’t need a warning these days to know what they are doing is illegal, and this FCC has long disliked the statutory requirement to grant them mulligans.” Caller ID spoofers are already subject to FCC enforcement actions without receiving a citation as a warning.3
  • Increasing the penalty amount to up to $10,000 for each intentional unlawful robocall in addition to the monetary forfeiture permitted under 47 U.S.C. § 503 (for persons or entities that are not FCC licensees or common carriers, the forfeiture penalty shall not exceed $20,489 for each violation and $153,669 for any continuing violation).4 Importantly, each unlawful robocall is considered to be a separate violation, so the potential forfeiture amounts could be very high.
  • Extending the statute of limitations applicable to FCC enforcement actions for intentional robocall violations and for caller ID spoofing violations to four years. Under the amended rule, the FCC may not impose a forfeiture penalty against a person for violations that occurred more than four years prior to the date a notice of apparent liability is issued. The statute of limitations had been one year for all robocall violations and two years for call ID spoofing violations. This change will significantly increase the timeframe of conduct subject to FCC enforcement and that can be included in a proposed forfeiture amount.

Conclusion

The FCC’s amended rules, consistent with the TRACED Act, are intended to discourage unlawful robocalling and caller ID spoofing by abolishing the “one free pass” formerly applicable to entities that do not hold FCC authorizations, increasing the penalties for intentional violations, and expanding the statute of limitations period. This is the FCC’s most recent action to implement the TRACED Act by strengthening protections against unlawful robocalls and caller ID spoofing. Other steps recently taken by the FCC include initiating a rulemaking proceeding to prevent one-ring scams (when a caller initiates a call and allows the call to ring for a short duration with the aim of prompting the called party to return the call and be subject to charges). Given the FCC’s significant focus on combatting illegal robocalling, it is important that companies that rely on robocalls to contact consumers understand the federal laws governing such calls implement procedures to ensure that they comply with those laws and regulations.

1 The Telephone Consumer Protection Act (TCPA) (which was amended by the TRACED Act) and the FCC’s implementing regulations generally prohibit the use of autodialed, prerecorded or artificial voice calls (commonly known as robocalls) to wireless telephone numbers and the use of prerecorded or artificial voice calls to residential telephone numbers unless the caller has received the prior express consent of the called party (certain calls, such as telemarketing calls, require prior express written consent) or is subject to specified exemptions. See 47 U.S.C. § 227; 47 C.F.R. § 64.1200.

2 The FCC issued these rules pursuant to an order, rather than utilizing notice and comment procedures, because the content of the rules did not require the exercise of administrative discretion. The rules will become effective 30 days after the date of publication in the Federal Register.

3 The FCC may issue a forfeiture order if it finds that the recipient of a notice of apparent liability has not adequately responded to the FCC’s allegations. The FCC may also seek to resolve the matter through a consent order which generally requires the alleged violator to make a voluntary payment, develop a compliance plan, and file compliance reports.

4 See 47 U.S.C. § 503(b)(2)(D) as adjusted for inflation. The FCC has authority to make upward or downward adjustments to forfeiture amounts based on several factors. See 47 C.F.R. § 1.80.

©2020 Greenberg Traurig, LLP. All rights reserved.

COVID-19: CMS Issues Second Round of Groundbreaking Changes for Telehealth – What You Need to Know

The Centers for Medicare and Medicaid Services (CMS) has introduced a new crop of temporary regulatory flexibilities in response to the COVID-19 public health emergency (PHE) in the form of new blanket waivers, implementing guidance related to provisions of the Coronavirus Aid, Relief, and Economic Support Act (CARES Act) regarding rural health clinics (RHCs) and federally qualified health centers (FQHCs), as well as a new interim final rule (April IFC). This flurry of new guidance comes exactly one month after CMS published an interim final rule on March 30 (March IFC). The new guidance sets forth a historic expansion of telehealth services by fully expanding the list of permissible telehealth providers, significantly broadening the availably of audio-only telehealth services for Medicare beneficiaries, among other significant telehealth expansions. The new blanket waivers and the April IFC (except as otherwise specifically designated) are retroactively effective as of March 1, 2020.

This article discusses the telehealth waivers and flexibilities in this most recent guidance from CMS aimed at making health care available to Medicare beneficiaries in a manner that keeps both providers and patients safe during the PHE.

Expanded List of Eligible Telehealth Practitioners

A long awaited change is here! Now, for the duration of the COVID-19 PHE, physical therapists, occupational therapists, and speech language pathologists, along with all others eligible to bill Medicare for professional services, may furnish distant site Medicare telehealth services. Prior to this blanket waiver, only physicians, nurse practitioners, physician assistants, and other specified providers could deliver Medicare covered telehealth services. The new blanket waiver removes these restrictions. However, practitioners must still adhere to applicable state law practice and licensure requirements when performing telehealth services.

Audio-Only Telehealth Elevated

In the March IFC, CMS established separate payment for audio-only telephone E/M services, specifically including CPT codes 99441, 99442, and 99443. In response to stakeholder feedback that the use of these codes is more widespread than CMS expected—as well as CMS’s realization that the audio-only visits are appropriate for a higher intensity of service than initially anticipated—CMS is:

  1. waiving the required use of video technology, and is allowing the use of audio-only equipment to furnish services described by the codes for audio-only telephone evaluation and management services (E/M), and behavioral health counseling and educational services (the list of the designated audio-only codes can be found here); and
  2. increasing reimbursement for CPT codes 99441, 99442, and 99443 to more closely align with reimbursement for similar office visits.

Codes that may be billed without satisfying the interactive video requirement will have a notation in the telehealth code list indicating that audio-only is appropriate. The ability to receive these increased payment rates is retroactive to March 1, 2020. Also, while the code descriptors refer to an “established patient,” CMS is exercising its enforcement discretion during the PHE to relax the requirement that the audio-only services be limited to established patients. CMS reminds practitioners that the cost-sharing obligations are still applicable to these telehealth services in cases where the practitioner is not appropriately waiving the cost-sharing obligations.

Opioid Treatment Programs (OTPs) May Furnish Periodic Assessments via Telephone

Pursuant to the April IFC, during the PHE CMS is allowing OTP periodic assessments to be furnished via two-way interactive audio-video communication technology and, in cases where beneficiaries do not have access to two-way audio-video communications technology, the periodic assessments may be furnished using audio-only telephone calls, provided all other applicable requirements are met. CMS expects that OTPs will use clinical judgment to determine whether they can adequately perform the periodic assessment with audio-only phone calls, and if not, then they should perform the assessment using two-way interactive audio-video communication technology or in person as clinically appropriate. Regardless of the format that is used, the OTP should document in the medical record the reason for the assessment and the substance of the assessment.

Medicare Coverage of RHCs and FQHCs Provided Telehealth

Previously, RHCs and FQHCs were not able to be paid by Medicare for telehealth services as a distant site. However, as required by the CARES Act, Medicare will now cover and reimburse telehealth services provided by RHCs and FQHCs from January 27, 2020 through the duration of the PHE. The key flexibilities afforded to RHCs and FQHCs include:

  1. Any telehealth service listed in the Medicare telehealth code list may be provided by the RHC/FQHC practitioners and the RHC/FQHC must use HCPCS code G2025 to identify the services being provided via telehealth;
  2. Effective March 6, 2020, patients may be at any site, including their home;
  3. The services can be furnished by any health care practitioner working for the RHC or FQHC within their scope of practice; and
  4. The practitioners can furnish the telehealth services from any distant site location, including their homes, during the time they are working for the RHC or FQHC.

CMS released detailed guidance on (a) claims submission requirements for RHCs/FQHCs; (b) how CMS will go about reprocessing and paying claims; (c) the timing of processing; (d) special billing rules and requirements related to cost-sharing waivers; and, (e) other important information that RHCs and FQHCs should review in advance of billing for any telehealth services. CMS set a payment rate for these claims at $92.03 (average amount of all telehealth services on the telehealth service list, weighted by volume), which will be reassessed if the PHE extends beyond the end of the year. CMS hopes these changes will increase access to care for beneficiaries in rural and underserved areas.

Hospital Billing and Facility Fee Reimbursement for Outpatient and Home Settings

Now hospitals may bill for telehealth services furnished by hospital-based physicians to patients registered as hospital outpatients, including when patients are at home, provided the home is serving as a temporary provider-based department of the hospital. CMS stated that the March IFC did not specifically address billing for hospital outpatients. CMS also reminded providers that reasons for the visit must be documented in the patient’s medical record. As such, hospitals can bill for both the distant site provider fee and the originating site facility fee for telehealth services rendered by hospital-based practitioners, even for patients at home.

New Telehealth Code Approval Procedure

Ordinarily CMS adds codes to the telehealth code list as part of its annual rule making. CMS is now changing its process to allow for the addition of new telehealth codes to the designated Medicare telehealth code list on a sub-regulatory basis, without the need for notice and comment. This will allow for faster and perhaps more frequent additions to the telehealth codes list and scope of Medicare telehealth benefit. However, any codes added to the list during this time period will remain on the list only during the COVID-19 PHE.

Time-Based Level Selection for E/M Telehealth

In the March IFC, CMS allowed for the E/M level selection for office/outpatient E/M services furnished via telehealth can be based on medical decision-making or time for the duration of the PHE. In doing so, CMS referenced typical times associated with E/M services in the Medicare public use file. However, the times in the public use file do not always align with the typical times included in the office/outpatient E/M code descriptors, causing confusion in the physician community. CMS resolved this confusion in the April IFC by revising its policy to clarify that the times listed in the CPT code descriptor should be used.

Loosened Remote Physiological Monitoring (RPM) Billing Requirements

Historically, RPM service described by CPT code 99454 could not be reported for monitoring of fewer than 16 days during a 30-day period. However, in the April IFC, acknowledging that many patients with COVID-19 who need remote patient monitoring do not need to be monitored for a full 16 days, CMS, for the duration of the PHE, is allowing RPM services to be reported for periods of time that are fewer than 16 days of 30 days, but no less than 2 days, as long as the other requirements for billing the code are met. CMS emphasized that payment for when monitoring lasts for fewer than 16 days of 30 days, but no less than 2 days, is limited to patients who have a suspected or confirmed diagnosis of COVID-19.

Inclusion of Telehealth and Virtual Care in ACO Primary Care Services

For the duration of the COVID 19 PHE, for purposes of the Medicare Shared Savings Program, CMS is revising the definition of primary care services used in the program’s assignment methodology, for performance year starting on January 1, 2020, to include remote evaluation of patient video/images, virtual check-ins, e-visits, telephone evaluation and management services and telehealth.

What’s Next?

The breadth of these changes and speed at which they have been made undoubtedly illustrates CMS’s view of telehealth as a key tool in addressing the COVID-19 PHE. The question that remains is which of these changes will have staying power beyond the PHE and will industry supporters finally have their day when telehealth is simply an equal choice or option among others in health care delivery.

For additional web-based resources available to assist you in monitoring the spread of the coronavirus on a global basis, you may wish to visit the websites of the CDC and the World Health Organization.

Foley has created a multi-disciplinary and multi-jurisdictional team to respond to COVID 19, which has prepared a wealth of topical client resources. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time.

Authored by:  Thomas B. Ferrante Rachel B. Goodman Emily H. Wein of 
Foley & Lardner LLP
© 2020 Foley & Lardner LLP

Avoid Losing Money: Achieve Full Remote Access with Speed, Security & Scalability

Are your employees fully capable of accomplishing the same work that they could have done while in the office? Ideally, their in-office PC experience can be duplicated (securely) at home without any latency issues. If that’s not the case, your organization could be losing money with lost billable hours, or underutilization of existing solutions, etc. It’s paramount for the bottom line that your remote access capabilities are allowing your employees to achieve maximum efficiency to conduct business in a remote capacity.

There are three key areas of focus that need attention when planning a cost-effective and capable remote access strategy: speed, security, and scalability. “Putting effective security measures in place today along with mitigating remote access performance issues and ensuring the ability to adjust user access and scale will undoubtedly put you at a competitive advantage and positively affect your organization’s bottom line,” says Donnie W. Downs, President & CEO of Plan B Technologies, Inc.

First and foremost, the reliance on your employee’s end user device (or lack thereof) has a significant impact on what must be considered. There are two paths an organization can take to provide remote access to end users. The first is to allow end user devices to join the network as though they were plugged into a network jack in the office. The most common way to achieve this type of direct access is through a Virtual Private Network or VPN. The second approach is to present desktops and applications in a virtual session. This allows applications to be run on server horsepower in the organization’s datacenter and be used remotely from an end user device. Several products provide this capability, usually referred to as VDI or Terminal Services.

These options result in significantly different architectures. The primary difference is the level of dependency on the end user’s device. The VPN style solution relies heavily on the device’s capability and configuration. It’s required to provide all of the applications and computing power required by each end user. The VDI/Terminal services style solution requires much less from the end users devices. It is simply an interface to the remote session. The tradeoff is that a much more robust infrastructure is required in the organization’s data center or cloud.

Regardless of which way your organization is providing remote access today (VPN or virtual session), the speed, security and scalability (or lack thereof) will directly impact your cost.

SPEED

“To remain productive while working remotely, users need the same capabilities and performance they have when in the office,” says Downs. This translates to several things. They should be able to access all of the software and data they need. They should be able to access these resources using familiar workflows that don’t require separate remote access training. However, the most commonly missed requirement is that the remote access platform needs to provide adequate performance, so the remote access experience feels just like being in the office. Any latency will no doubt cause frustration and could ultimately affect your billable hours.

For direct access platforms this is a simple, yet potentially expensive formula. The remote access system needs to provide enough bandwidth so that the client device can access application servers, file servers, and other resources without slowing down. On the datacenter side, this means designing sufficient connectivity to the on-prem or cloud environments. Connectivity on the client-side, however, will always be more unpredictable. Slow residential connections, unreliable WIFI, and inconsistent cellular coverage are all challenges that will need to be addressed on this type of solution.

Performance within VDI/Terminal Services platforms is much more complex. Similar to direct access, we need to provide adequate bandwidth from the client to the remote access systems. However, this type of system typically has less demanding network requirements than a direct access system.  Advanced VDI/Terminal Services platforms also offer a wide variety of protocol optimizations that can accommodate high latency or low bandwidth connections. That’s only half of the puzzle though. Because the user is accessing a virtual session running in the datacenter, that session needs to provide adequate performance. At a basic level, this means that the CPU and memory must be sized correctly to accommodate the number of users. But the platform also needs to match in-office capabilities such as multiple monitors, 3D acceleration, printing, and video capability. Full-featured VDI/Terminal Services platforms provide these capabilities, but they must be properly designed and deployed to realize their full potential.

SECURITY

“Remote access can expose your business to many risks – but it doesn’t have to be this way,” says Downs. “Whether your organization is supporting 10 remote users or 1,000, you need to provide the necessary access while guarding your organization against outside threats.” For successful and secure remote access, it’s necessary to manage the risks and eliminate your blind spots to prevent data loss, phishing, or ransomware attacks.

On the surface, securing remote access environments requires many of the same basic considerations as any other public-facing infrastructure. These include mandatory multifactor authentication, application-aware firewalls, and properly configured encryption to guard your organization against security risks and protect corporate data. Remote access security is unique due to the risk introduced by the devices used by your employees. These devices can include IT managed devices that are allowed to leave the office or employee-owned unmanaged devices. If your remote access end users are logging in with their own devices, over the internet, there is room for a security breach without conducting these three protocols:

1/ Conduct Endpoint Posture Assessments

For direct access remote connectivity, security is especially relevant since the end user device is being provided a conduit into the organization network. Ideally, devices connecting to a direct access solution should be IT managed devices. This ensures that IT has the capability to control the endpoint configuration and security. However, there are many environments where direct access is required by employee-owned devices. In either case, the remote access solution should have the capability to do endpoint posture assessment. This allows an end user device to be scanned for compliance with security policies. These policies should include up to date operating system updates, valid and updated endpoint protection/antivirus, and enabled device encryption. The results of the scan (or assessment) can then be used to ensure only properly secured devices are able to connect to the network.

2/ Protect Against Key Logging and Other Malware

VDI/Terminal Services remote access systems rely on the end user device only as an interface to the virtual session. As a result, these solutions provide the ability to insulate the organization’s network from the end user device more than a direct access connection. Administrators can and should limit the ability for end user devices to pass file, print, and clipboard data, effectively preventing a compromise of the end user device from affecting the infrastructure. However, there is a gap in this insulation that is almost always overlooked. Malware on the end user device with key logging, screen recording, or remote-control capability can still allow the VDI/Terminal Services session to be compromised. Advanced VDI/Terminal Services platforms have protection for these types of attacks built in. This should be a mandatory requirement when selecting and implementing a VDI/Terminal Services solution.

3/ Deploy Robust Endpoint Protection

Regardless of the overall remote access strategy, both IT managed and employee-owned end user devices should have robust endpoint protection. Traditional definition-based antivirus products no longer provide sufficient protection. These should be combined with, or replaced by, solutions that perform both behavior analytics and advanced persistent thread (APT) protection.

SCALABILITY

Capacity planning for remote access can be very challenging. It is often one of the most varied or “bursty” workloads in an organization. Under normal operations it is used for dedicated remote workers or employees traveling. But when circumstances require large numbers of employees to be remote, as they do today, demand for these capabilities will spike. Proper planning can allow remote access systems to deal with this and keep the entire organization productive, regardless of where they are working.

There are three key elements that affect the scalability of direct access and VDI/Terminal Services solutions: software licensing, network bandwidth, and hardware capacity. It’s important to remember that these three pieces are interconnected. Upgrading any one of them will likely also require an upgrade to the others.

1/ Software Licensing

Licensing for remote access solutions is generally straight forward. There are variables in choosing the correct license type such as feature set and concurrent vs named users. But, in terms of sizing, direct access, and VDI/Terminal Services solutions are usually licensed based on the number of users they can service. Proper scalability relies on having a license pool large enough to support the entire user base. Purchasing licensing for an entire user base can be prohibitively expensive, so some vendors offer more flexible licensing. Two common flexible license models are subscription and burst licenses. Subscription licensing can often be increased or decreased as needed. Burst licensing allows for the purchase of a break-glass pool of licensing that allows for an increased user count for a short period of time. Both of these models allow remote access systems to rapidly expand to accommodate emergency remote workers. This type of flexibility should be considered when selecting a remote access platform to help save your organization from unnecessary costs.

2/ Network Bandwidth

Bandwidth and hardware flexibility are much more difficult to plan for. Indirect access and VDI/Terminal Services scenarios, each additional user requires more WAN bandwidth and more hardware resources. WAN circuits for on-prem datacenters can require significant lead time to provision and resize. There are solutions such as SD-WAN or burstable circuits that can allow flexibility and agility in these circuits. But this must be carefully preplanned and not left as a to-do item when the expanded capacity is actually needed.

3/ Hardware Capacity

Hardware scaling has similar limitations. Adding remote access capacity can require hardware resources ranging from larger firewalls to additional servers depending on the specific remote access platform. Expanding physical firewall and server platforms requires the procurement of additional hardware. During widespread emergencies, unpredictable availability of hardware can lead to significant delays in getting this done. Fortunately, most remote access platforms allow the integration of on-prem and public cloud-based deployments. A common strategy is to deploy systems into the public cloud as an extension of the normal production environment. These systems can then be spun up when needed to provide the additional capacity. This is a complex architecture that requires diligent design and planning, but it can provide a vast amount of scalability at reasonable cost.

Positioning your organization with a remote access strategy that can scale will save you time and money in the future. It’s unknown how long the effects of the coronavirus pandemic will impact the landscape of remote work for organizations. Planning and preparing to continue to conduct business with a secure and robust remote access strategy in place will put you ahead of your competition.

© 2020 Plan B Technologies, Inc. All Rights Reserved.

For more on remote working see the Labor & Employment section of the National Law Review.

The Return of Balance and Proportionality

Oscar Wilde was known for saying “Everything in moderation, including moderation.” For a period of time, we were only confronted with the scary aspects of “Big Data.” Think The Great Hack and the testy congressional hearings that we watched.

But the viral pandemic has thrown privacy absolutism into deeper question, as we are suddenly faced with a problem that in order to be solved must involve finding and tracking people for extended periods of time. We need to decide how to balance the societal need for virus control with the societal good of personal privacy.

Contact tracing is often used as an epidemic control measure. Lawmakers have discussed using the tool in the U.S. as Apple and Google work together to develop an effective contract tracing system. It has been deployed against illnesses such as measles, SARs, typhoid, meningococcal disease, and Ebola. It is currently being implemented in South Korea and China to combat COVID-19.

The Israeli government approved tracking cell phone data of people suspected of having coronavirus, to make sure they self-isolated. This emergency power lasted for 30 days. Israel’s Supreme Court, concerned with the privacy implications of using a military technology to track its own citizens’ daily movements, decided that the government would be required to halt this surveillance technology until or unless the government can pass an extension of that use. Then an oversight group in Israel’s parliament blocked an attempt to extend the emergency measures beyond this week, also due to privacy concerns. A committee member said the harm done to privacy outweighed the benefits.

As I recently wrote, this crisis may be testing sensibilities about privacy. Perhaps I was wrong. Sentiments do not seem to be moving aggressively towards greater data collection, or a sacrifice of consumer rights. Instead there appears to be a return towards measuring the weight of data against the potential for abuse, or grand commodification of personal information. In Israel more than 200 people, some identified through phone location information, had been arrested for violating quarantine. Thirty days of these extreme measures were tolerable. Then the Israelis had second thoughts.

Ulrich Kelber, Germany’s federal data protection commissioner, who recently claimed that the lack of GDPR enforcement was a result of enforcement agencies not receiving enough resources, backed a plan for Germany’s disease prevention agency to use Deutsche Telekom metadata. Considering just a week earlier he deemed tracking individual smartphones to monitor quarantine “totally inappropriate and encroaching measure,” it is apparent that Germany is balancing the harsh reality of the crisis and the immediate need for certain information with this encroachment.

Canada’s Privacy Commissioner released a “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19.” The Commissioner’s Office acknowledged that COVID-19 raised “exceptionally difficult challenges to both privacy and public health.” However, the framework reiterated that “the principles of necessity and proportionality, whether in applying existing measures or in deciding on new actions to address the current crisis,” will govern. Canada too is weighing the need of the information collected against the nature and sensitivity of the information collected.

The European Data Protection Board (EDPB) provided multiple guidance documents regarding COVID-19. Much like its Canadian counterpart, guidance provides that the “general principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19.” These guidelines clarify the conditions and principles for the proportionate use of location data and contact tracing tools. But the EDPB also stressed that the “data protection legal framework was designed to be flexible and as such, is able to achieve both an efficient response in limiting the pandemic and protecting fundamental human rights and freedoms.”

Here in the United States, all eyes have been on the California Attorney General regarding enforcement of the California Consumer Privacy Act, which is set to begin on July 1, 2020. Unlike our neighbors to the North and Europe, there is no significant sentiment of the need for balance or proportionality. Just a reminder that as “the health emergency leads more people to look online to work, shop, connect with family and friends, and be entertained, it is more important than ever for consumers to know their rights under the California Consumer Privacy Act.”

For many sovereigns, this crisis has led enforcement agencies and legislatures to return to the roots of data privacy, which is balance and proportionality. Many privacy laws require a balancing test for entities collecting data. COVID-19 has made these principles re-emerge into the limelight.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences

As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.

Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.

The phenomenon commonly known as “Zoombombing” involves the infiltration of Zoom videoconferences by hackers. Once they have infiltrated a videoconference, hackers have undertaken a variety of malicious acts including, among other things, posting hate speech, stealing personal identifying information, and posting pornography or other offensive or inappropriate content to the other participants in the videoconference. Typically, hackers look to exploit Zoom conference links that are posted publicly and/or open to the public without the need for a password or access key. In response to the increase in Zoombombing attacks, some governments and organizations have restricted or prohibited the use of the Zoom application by their employees. Recognizing the threat that hackers pose to their platform, Zoom recently added new default security features and recommended that users employ additional security safeguards.

Of course, it is not only Zoom that has been targeted by malicious cyber actors. Similar attacks have occurred on numerous other commonly use videoconferencing platforms. Attacks on these other platforms exploit similar flaws or security vulnerabilities that are seen in Zoombombing attacks.

Given the rise of attacks on videoconference applications during the COVID-19 pandemic, the FBI recently issued a warning discussing Zoombombing and other similar attacks aimed at remote working employees and students. The FBI advised that videoconference application users take the following steps:

  • Do not make meetings public and, if the option is available, utilize passwords for access to meetings;
  • Do not share links for meetings publicly;
  • Only allow meeting hosts to have the option to share their screens with other participants;
  • Ensure that you are using the most recent version of the application; and
  • Ensure that your organization’s remote working policies address requirements for videoconferencing security.

Other important security tips include:

  • Ensure that your teleconferencing sessions have active password protections in place;
  • Keep password protection on by default to prevent unauthorized users from joining or hijacking your sessions; and
  • Use a unique, one-time ID number for large or public teleconferencing calls.

The COVID-19 pandemic has made remote working a reality for many in a world handcuffed by social distancing. It is more important now than ever to understand the power, and the corresponding dangers, these new remote connection technologies hold in order to ensure that you maintain the safety and security of your organization’s data and information.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

For more work from home considerations among the COVID-19 pandemic, see the National Law Review Coronavirus News page.

National Law Review: Coronavirus Update

The National Law Review continues normal operations
as we are a virtual company.

If you have any questions or need assistance, please contact us at Info@NatLawReview.com or at 708-357-3317 M-F 7-7 and midday weekends and holidays.
Due to the virus and surrounding legal issues our traffic has soared to over 200,000 visitors and over 250,000 page views yesterday alone. We’re on track to have 1,500,000+ visitors in March.
We sincerely hope for your family and co-workers to remain safe – if you’d like resources about how businesses and individuals are navigating the pandemic, we have a dedicated page with over 200 articles written by the nation’s top law firms on the topic.  Groups including SHRM have directly linked to this resource page.
If your company or professional association needs a consolidated, reliable resource that is updated hourly, we encourage linking to our Coronavirus Resource hub.

Copyright ©2020 National Law Forum, LLC