Category: Communication Media & Internet

Texas Appeals Court Rules Private Communications with Customers Not Protected Free Speech

In a case addressing the applicability of free speech as a defense to trade secret misappropriation, the Court of Appeals for the Fifth District of Texas retracted its previous ruling, holding that communications with customers and suppliers did not involve a matter of public concern and were therefore not an exercise of free speech. Goldberg, et al. v. EMR (USA Holdings) Inc., et al., Case No. 05-18-00261-CV (Tex. App. Jan. 23, 2020) (Myers, J).

The case concerns allegations of trade secret misappropriation brought by EMR (USA Holdings) (EMR), against Kenneth Goldberg, his company Geomet Recycling (Geomet), and several Geomet employees who, like Goldberg, formerly worked for EMR. EMR and Geomet are both involved in the business of scrap metal recycling. EMR alleged that Goldberg, Geomet and the former EMR employees (collectively, “Defendants”) violated the Texas Uniform Trade Secrets Act (TUTSA), breached fiduciary duties and tortuously interfered with contracts by, among other things, using EMR’s trade secrets and confidential and proprietary information to contact purchasers and suppliers.

Defendants moved to dismiss all claims under the Texas Citizen’s Participation Act (TCPA), claiming that their contacts with purchasers and suppliers were protected free speech involving a matter of public concern. The TCPA allows litigants to seek early dismissal of a lawsuit if they prove by a preponderance of the evidence that the legal action is based on, or is in response to, a party’s exercise of the right of free speech.

The TCPA defines “exercise of the right of free speech” as “a communication made in connection with a matter of public concern.” The statute states that a “‘[m]atter of public concern’ includes an issue related to: (A) health or safety; (B) environmental, economic, or community well-being; . . . or (E) a good, product, or service in the marketplace.” Id. § 27.001(7). Additionally, under the “commercial-speech exemption,” the TCPA does not apply to a legal action brought against a person engaged in the business of selling goods or services if the conduct arises out of a commercial transaction in which the intended audience is an actual or potential buyer or customer.

After the trial court denied Defendants’ motion to dismiss without providing any reasoning, Defendants appealed.

On August 22, 2019, the Court of Appeals for the Fifth District of Texas affirmed the trial court’s decision. The Court held that the commercial-speech exemption to the TCPA applied to the Defendants’ communications with purchaser and suppliers. However, the Court also found that these communications concerned “an issue related to . . . a good, product, or service in the marketplace” and therefore involved a matter of public concern under the TCPA.

Both sides asked for rehearing. In its new ruling, the Court of Appeals reversed course and found that Defendants’ communications with purchasers and suppliers did not involve matters of public concern. Defendants argued that the business of recycling scrap metal relates to environmental, economic and community well-being, which are considered matters of public concern under the TCPA. The Court rejected this argument, noting that while scrap metal recycling may indeed relate to matters of public concern, the communications at issue “were private communications regarding private commercial transactions for the purchase and sale of a commodity.” The Court held that, because the communications themselves did not implicate matters of public concern, they were not subject to the TCPA.

Practice Note:

The new ruling significantly restricts the application of the TCPA. The holding indicates that the TCPA cannot shield defendants from trade secret claims based on communications between the defendant and potential customers or suppliers that solely relate to the purchase or sale of a commodity—even if the commodity at issue might arguably relate to matters of public concern.

© 2020 McDermott Will & Emery

For more on TCPA rule application, see the National Law Review Communications, Media & Internet law section.

Clash of Consumer Protection Goals: Does the Text of the TCPA Frustrate the Purposes of the CPSA?

“Hello.  This is an automated call from Acme Manufacturing. Our records indicate that you purchased Product X between December 2019 and January 2020. We wanted to let you know that we are recalling Product X because of a potential fire risk. Please call us or visit our website for important information on how to participate in this recall.”

When companies recall products, they do so to protect consumers.  In fact, various federal laws, including the Consumer Product Safety Act (CPSA), the Federal Food, Drug, and Cosmetic Act (FDCA), and National Highway and Motor Vehicle Safety Act (MVSA), encourage (and may require) recalls. And the agencies that enforce these statutes would likely approve of the hypothetical automated call above because direct notification is the best way to motivate consumer responses to recalls.[1]

But automated calls to protect consumers can run into a problem: the Telephone Consumer Protection Act (TCPA).

Are Recall Calls a Nuisance or an Emergency?

The TCPA seeks to protect consumers from the “nuisance and privacy invasion” of unwanted automated marketing calls.[2] The TCPA prohibits any person from making marketing calls to landlines, or any non-emergency calls or text messages[3] to wireless lines, using automated dialers or recorded messages unless the recipient has given prior written consent. The Act includes a private right of action and statutory per-violation damages – $500, trebled to $1,500 if a court finds the violation willful and knowing.[4] These penalties can add up quickly: In one case, a jury found that a company violated the TCPA nearly two million times, exposing the company to minimum statutory damages totaling almost $1,000,000,000.[5]

There is an important exception to the TCPA’s prohibition on automated calls. The TCPA allows autodialed calls for emergency purposes,[6] but the Act does not define that phrase. While the FCC has interpreted emergency purposes to mean “calls made necessary in any situation affecting the health and safety of consumers,”[7] recalls are not explicitly identified within this definition. As a result, aggressive plaintiffs have demanded millions in damages from companies that use automatic dialers to disseminate recall messages.[8]

For example, a grocery chain – Kroger – made automated calls to some purchasers of ground beef as part of a recall stemming from salmonella concerns. A plaintiff responded with a purported class action that did not mention the recall [9] but was based on consumers alleging that they had received “annoying” “automated call[s] from Kroger.”

Moving to dismiss, Kroger observed that the plaintiff – who had not listened to the call beyond its initial greeting[10] and thus could not comment on the call’s text – had “cherry-picked”[11] portions of consumers’ online comments to support the case, omitting text that clearly demonstrated that the calls were made for health and safety purposes.[12] Kroger argued that the online comments did not support the plaintiff’s allegations that Kroger had made any marketing calls.

The court granted Kroger’s motion and dismissed the complaint without leave to amend. Even so, Kroger was compelled to spend time and money defending the claim.

In light of this type of lawsuit, one communications firm involved in automotive recalls has petitioned the FCC to “clarify . . . that motor vehicle safety recall-related calls and texts are ‘made for emergency purposes.’”[13] The Association of Global Automakers and the Alliance of Automobile Manufacturers commented in support of the petition, arguing that the “[l]ack of clarity regarding TCPA liability for vehicle safety recall messages has had a chilling effect on these important communications.”[14] The Settlement Special Administrator for the Takata airbag settlements also wrote in support, commenting that automated “recall-related calls and texts serve an easily recognizable public safety purpose.”[15]

The TCPA’s emergency exception offers protection in litigation. The FCC’s definition – “calls made necessary in any situation affecting the health and safety of consumers” – neatly encapsulates the entire function of a recall, namely acting to protect consumers’ health and safety. Moreover, in developing the emergency exception, Congress broadened initial language that excepted calls made by a “public school or other governmental entity” to the enacted “emergency purposes” phrasing precisely to ensure the exception encompassed automated emergency calls by private entities.[16] One of the seminal emergency purposes for which a private entity might seek to make automated calls is a product recall.

Even with such sound arguments that TCPA claims related to recall calls are without merit within the statute, however, aggressive plaintiffs have brought such claims. These efforts compel companies to spend finite resources defending claims that should not be brought in the first place. An express statutory or regulatory statement that recalls are squarely within the definition of emergency purposes would give companies greater confidence that not only would they be able to successfully defend against any effort to pit the TCPA against consumer-protection values, but that the claims are so unlikely to be brought that the companies need not even fear to have to defend.

Protecting Against Recall-Call Complaints

Until the FCC or Congress expressly instructs plaintiff’s counsel not to try to litigate against automated recall calls, there are steps companies that want to use automated dialers to drive recall responses can take to minimize any risk of a court misinterpreting their calls or finding TCPA liability where it should not attach.

For example, companies may (as some already do) ask for customers’ consent to be autodialed in connection with the products they have purchased – e.g., by including consent language on product warranty cards or registration forms. In fact, the Consumer Product Safety Improvement Act of 2008 (CPSIA)[17] already requires manufacturers of durable infant and toddler products to include registration cards for recall-communication purposes.[18] Companies in some other industries (like the on- and off-road motor vehicle industries) typically have robust registration systems that can incorporate auto dialing consent, and more companies in other spaces may want to consider using registration to facilitate recalls.

Further, automated recall calls should focus on the recall. If calls extend to marketing messaging, that could undermine both a future TCPA defense and the efficacy of that and future recall communications.

Optimally, companies would be less likely to need these defenses if the statute more clearly signaled to would-be litigants that they should not even bother. If the FCC grants the pending petition and plainly states that product recalls are emergencies for TCPA purposes, courts’ deference to agency interpretations might deter at least some complaints. A statutory amendment would be the surest guarantee, though, and manufacturers may wish to ask Congress to amend the TCPA to clarify that recall messages are emergency messages.

[1] See, e.g., Joseph F. Williams, U.S. Consumer Prod. Safety Comm’n, Recall Effectiveness Workshop Report, 5 (Feb. 22, 2018).

[2] Pub. L. No. 102-243, § 2(12), 105 Stat. 2394, 2395 (Dec. 20, 1991).

[3] Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Report and Order, 18 FCC Rcd 14014, 14115, para. 165 (2003)

[4] TCPA at § 3(a), 105 Stat. at 2399 (codified at 47 U.S.C. § 227(c)(5)).

[5] Wakefield v. ViSalus, Inc., No. 3:15-cv-1857-SI (D. Or.).

[6] See, e.g., TCPA at § 3(a), 105 Stat. at 2395-96 (codified at 47 U.S.C. § 227(b)(1)(A)).

[7] 47 C.F.R. § 64.1200(f)(4).

[8] See, e.g., Compl., Ibrahim v. Am. Honda Motor Co., Inc., No. 1:16-cv-04294, Dkt. #1 (N.D. Ill. Apr. 14, 2016).

[9] Compl., Brooks v. Kroger Co., No. 3:19-cv-00106-AJB-MDD, Dkt. #1 (S.D. Cal. Jan. 15, 2019) (“Brooks”).

[10] Pl. Opp. to Mot. to Dismiss at 5, Brooks, Dkt. #9 (Apr. 4, 2019).

[11] Reply in Supp. of Mot. to Dismiss at 7, Brooks, Dkt. #10 (Apr. 11, 2019).

[12] The plaintiff quoted one complaint as “Automated call from Kroger.” Compl. at 3-4, Brooks. As the defense noted, that complaint continued, “requesting that you return ground beef . . . due to the threat of salmonella.” Mem. in Supp. of Mot. to Dismiss at 6, Brooks Dkt. #7 (Mar. 21, 2019).

[13] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Petition, ii (Sept. 21, 2018).

[14] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Association of Global Automakers, Inc. and Alliance of Automobile Manufacturers, 9 (Nov. 5, 2018).

[15] IHS Markit Ltd. Petition for Emergency Declaratory Ruling, CG Docket No. 02-278, Comments of Patrick A. Juneau, 3 (Nov. 5, 2018).

[16] S. Rep. No. 102-178, 5 (Oct. 8, 1991).

[17] Pub. L. No. 110-314, 122 Stat. 3016 (Aug. 14, 2008) (codified as amended at 15 U.S.C. § 2056a).

[18] 15 U.S.C. § 2056a(d).

© 2020 Schiff Hardin LLP

For more on CPSA, FDCA, MVSA & other recalls, see the National Law Review Consumer Protection law section.

How Law Firms Can Prevent Phishing and Malware

Law firms harbor information directly linked to politics, public figures, intellectual property, and sensitive personal information. Because lawyers rely on email to manage cases and interact with clients, hackers exploit technical vulnerabilities and people via email. After cybercriminals infiltrate a law firm’s systems in a successful phishing or malware attack, they leverage breached information for financial gain.

Starting with email, law firms must control the availability, confidentiality, and integrity of data. Or they will suffer breaches that bring increased insurance premiums, loss of intellectual property, lost contract revenue, and reputational damage.

Law firms aren’t securing their cloud technology

As lawyers adapt with best practices in technology, they’re moving client data and confidential documents from on-premise to cloud-hosted databases. 58% of firms use cloud technology to manage their clients and run their firms, according to the 2019 Legal Technology Survey Report on Cybersecurity and Cloud Computing from The American Bar Association’s Legal Technology Resource Center.

Migrating data to the cloud is a good thing, despite concerns about its availability. Data is more secure when stored in a system with modern infrastructure and security protocols, instead of stored locally on an outdated system no longer supported by vendors — such as a desktop device still running Windows 7 software, rather than Windows 10.

Even though the cloud is safe, law firms inevitably fall victim to cloud-based cyberattacks like phishing and malware.

26% of lawyers reported a security breach at their firm. TECHREPORT’s other findings explain why the breach rate is so high:

  • Fewer than half (41%) of all respondents changed their security practices after migrating to the cloud.

  • Only 35% of lawyers adopt more than one standard security measure — like encryption, anti-malware, anti-phishing, and network security.

  • 14% of respondents using cloud-based technology to manage their firm do not have any preventative security measures in place.

Changes to your firm's security policies.

Source: 2019 ABA TECHREPORT

How law firms can prevent phishing and malware

Lawyers know data breaches create downtime, loss of billable hours, and reputational harm. But they’re less aware of how to prevent those outcomes.

Phishing explained

Phishing happens via email, when hackers impersonate trusted senders to trick recipients into divulging sensitive or confidential information. Most often, phishers trick victims to click a malicious URL and interact with spoofed login pages. Microsoft is the most spoofed brand in the world, because it is the hub for organizations to collaborate and exchange information. If a lawyer enters their Office 365 credentials onto a spoofed login page, the username and password go directly to the hacker’s server.

Most common brands in phishing attacks.

Source: TechRadar

Successful credential-harvesting phishing attacks allow hackers to access data-dense services like Office 365, online banking, and practice management software. Stolen credentials lead to account takeover scenarios that result in further exploits, including network infiltration, database infiltration, and data exfiltration.

3 common characteristics of phishing attacks

  1. Subject lines that appear highly urgent

Many subject lines in phishing emails are in all-caps to pressure the recipient. Beware of subject lines that say “URGENT” or “Are you available?” An infographic from cybersecurity firm KnowBe4 reveals the top phishing email subject lines from 2019.

Top-clicked phishing tests.

Source: KnowBe4

  1. Spelling errors, grammar errors, and awkward language

Hackers need to deceive language parsing technology like Optical Character Recognition (OCR) that identifies suspicious content and blocks the message. To bypass anti-phishing algorithms, they’ll intentionally misspell words, use special characters that look like letters, and replace letters with lookalike numbers. Phishing URLs are often misspelled, or the domain name does not match the content of the page. Carefully read every URL to see if the words and letters match the content of the page.

  1. Unexpected or unusual requests for documents or money.

Phishers can spoof the sender name and domain of trusted contacts’ email addresses to lull recipients into a false sense of trust and compliance. Requests for sensitive information (bank routing numbers, trust account numbers, login credentials, document access, etc.) should be confirmed over the phone or any other communication channel besides that same email thread.

6 ways to prevent phishing at your law firm

  1. Check if email addresses associated with the firm were involved in high-profile breaches

Have I Been Pwned is a website that identifies compromised email addresses and passwords across online services that have been breached so that victims can change their password and prevent account access. Set up alerts through the website to monitor any future breaches.

Check if you have an account that has been compromised in a data breach.

Source: HaveIBeenPwned.com

  1. Install password managers

The best passwords don’t need to be memorized. 25% of people reuse the same password for everything, according to OpenVPN. Password manager services like 1Password (paid) and LastPass (free) use browser plug-ins and mobile applications to create, remember, and autofill complex, randomly-generated passwords. They identify weak or reused passwords across websites, and run a program to simultaneously rewrite and save new passwords on those sites.

LastPass password management software

Source: LastPass.com

  1. Make Multi-Factor authentication (MFA) mandatory at the firm

Multi-factor authentication, a secure login method using two or more pieces of confirmation, adds another step to the login process to prevent account takeover and the breach of confidential data. When username and password credentials are submitted to the login page, MFA generates and sends a unique alphanumeric code to the account holder’s email or phone for use as a secondary password. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire.

Because email accounts and cell phone numbers are publicly available and can be compromised, use app-based and hardware-based MFA instead.

Solo and small/medium firms should use the Google Authenticator app, which continuously creates dynamic codes that swap out every 30 seconds and are unique to the device on which the app was installed.

Larger firms should adopt physical MFA. These “keys” plug into your laptop, tablet, or mobile device ports to authenticate access to software — and even the device itself. Because the keys are unique, hackers can’t access accounts supported by hardware MFA keys like Yubico’s YubiKey, which is used by every Google employee. If the key is lost, account access can be gained through backup codes or MFA codes delivered via email, mobile, or authentication apps.

Make Multi-Factor authentication mandatory at the law firm.

YubiKeys (Source: Wired Store)

  1. Participate in phishing awareness training programs

These software programs regularly educate and train employees on the characteristics of spam, phishing, malware, ransomware, and social engineering attack methods. Microsoft’s Attack Simulator and KnowBe4 offer free programs that train users not to interact with phishing attempts and give visibility into how well they’re trained, based on their click rate during the attack simulations. The 2019 Verizon Data Breach Investigation Report found that lawyers and other professional service workers were the third most likely group to click on phishing emails.

2019 Verizon Data Breach Investigation Report

Source: 2019 Verizon Data Breach Investigation Report, Figure 45

  1. Only connect to secure WiFi

Connecting to public WiFi in a cafe, airport, or hotel is dangerous. Malicious worms can transfer from one device to another if they are connected on the same network. When traveling, use a virtual private network (VPN) to extend a remote private network across the public network and secure the WiFi connection.

  1. Report suspicious emails

Popular email clients like Office 365 and Google Gmail offer suspicious message reporting. Use this built-in tool to improve their anti-phishing algorithm. If applicable, contact the IT team or cybersecurity staff at the firm so they can update security configurations in the email client or third-party security tool they may use.

What is malware?

Malware is any malicious file that launches scripts to hijack a device, steal confidential data, or launch a Distributed Denial of Service (DDoS) attack. Most malware is delivered via email. The 2019 Verizon Data Breach Investigation Report found that 51% of phishing attacks involve malware injections into a network. These malicious scripts are usually injected via spoofed DocuSign and Adobe attachments, or fraudulent billing and invoicing documents.

Ransomware is a subset of malware that hackers use to hold information or access hostage until a ransom is paid. Ransomware exploits frequently involve blackmailing tactics, and “sextortion” phishing emails (in which hackers purport to have footage of the victim watching pornography) are gaining popularity.

The 2019 ABA TECHREPORT noted that 36% of firms have had systems infected, and about a quarter (26%) of firms were unaware if they’ve been infected by malware. Larger firms, which tend to use on-premise software because of the up-front work associated with cloud migration, are the least likely to know if they’ve suffered a malware attack.

3 ways to prevent malware

  1. Monitor and update outdated software and hardware 

Application updates are necessary and should not be treated as optional. These software upgrades implement essential security features to ward off new strains of attacks. Not updating software and hardware provides short term savings, but will be very costly in the long run.

Be aware that:

  • Windows 7 is no longer supported since January 2020.

  • MS Office 2010 will no longer be supported as of October 2020.

  • Support for Adobe Acrobat X Reader/Standard/Pro, Adobe Acrobat XI, and Reader XI has ended. 88% of attorneys continue to use these highly-vulnerable Adobe programs, according to the 2019 ABA TECHREPORT.

  1. Monitor email for links and executables (including macro-enabled Office docs)

Executable files automatically launch actions, based on the code in the file. Apply software restrictions on your device to prevent executable files from starting up without your consent. Microsoft found that 98% of Office-targeted threats use macros. In 2016, Microsoft pushed a macro-blocking feature in Word to prevent malware infection.

Block macros and prevent malware in Microsoft Office Word.

Source: Microsoft Security Blog

  1. Hire a Managed Service Provider (MSP) for cybersecurity

MSPs offer an affordable portfolio of solutions to manage cyber risk across firm operations.

The solution: control the login process and data access in cloud-based apps

Lawyers are obligated to protect sensitive client information from phishing, malware, and ransomware. As breaches continue to make headlines, clients are selecting firms based on their data security. Law firms educated on confidentiality, security, and data control will be able to reassure security-conscious clients.

Cloud security — especially in email and document storage — relies on identity and access management. Establish a secure login process, govern user privileges in applications, and ensure that everyone at the firm can spot suspicious emails and attachments.

Choose cloud providers with a reputation for secure software and identify third-party security vendors for anti-phishing, anti-malware, and MFA.

© Copyright 2020 PracticePanther

Written by Reece Guida of PracticePanther.
For more on cybersecurity for legal and other businesses, see the National Law Review Communications, Media & Internet law section.

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.

My Business Is In Arizona, Why Do I Care About California Privacy Laws? How the CCPA Impacts Arizona Businesses

Arizona businesses are not typically concerned about complying with the newest California laws going into effect. However, one California law in particular—the CCPA or California Consumer Privacy Act—has a scope that extends far beyond California’s border with Arizona. Indeed, businesses all over the world that have customers or operations in California must now be mindful of whether the CCPA applies to them and, if so, whether they are in compliance.

What is the CCPA?

The CCPA is a comprehensive data privacy regulation enacted by the California Legislature that became effective on January 1, 2020. It was passed on September 13, 2018 and has undergone a series of substantive amendments over the past year and a few months.

Generally, the CCPA gives California consumers a series of rights with respect to how companies acquire, store, use, and sell their personal data. The CCPA’s combination of mandatory disclosures and notices, rights of access, rights of deletion, statutory fines, and threat of civil lawsuits is a significant move towards empowering consumers to control their personal data.

Many California businesses are scrambling to implement the necessary policies and procedures to comply with the CCPA in 2020. In fact, you may have begun to notice privacy notices on the primary landing page for national businesses. However, Arizona businesses cannot assume that the CCPA stops at the Arizona border.

Does the CCPA apply to my business in Arizona?

The CCPA has specific criteria for whether a company is considered a California business. The CCPA applies to for-profit businesses “doing business in the State of California” that also:

  • Have annual gross revenues in excess of twenty-five million dollars; or
  • Handle data of more than 50,000 California consumers or devices per year; or
  • Have 50% or more of revenue generated by selling California consumers’ personal information

The CCPA does not include an express definition of what it means to be “doing business” in California. While it will take courts some time to interpret the scope of the CCPA, any business with significant sales, employees, property, or operations in California should consider whether the CCPA might apply to them.

How do I know if I am collecting a consumer’s personal information?

“Personal information” under the CCPA generally includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked” with a specific consumer. As the legalese of this definition implies, “personal information” includes a wide swath of data that your company may already be collecting about consumers.

There is no doubt that personal identifiers like name, address, email addresses, social security numbers, etc. are personal information. But information like biometric data, search and browsing activity, IP addresses, purchase history, and professional or employment-related information are all expressly included under the CCPA’s definition. Moreover, the broad nature of the CCPA means that other categories of data collected—although not expressly identified by the CCPA—may be deemed to be “personal information” in an enforcement action.

What can I do to comply with the CCPA?

If the CCPA might apply to your company, now is the time to take action. Compliance will necessarily be different for each business depending on the nature of its operation and the use(s) of personal information. However, there are some common steps that each company can take.

The first step towards compliance with the CCPA is understanding what data your company collects, how it is stored, whether it is transferred or sold, and whether any vendors or subsidiaries also have access to the data. Next, an organization should prepare a privacy notice that complies with the CCPA to post on its website and include in its app interface.

The most substantial step in complying with the CCPA is to develop and implement policies and procedures that help the company conform to the various provisions of the CCPA. The policies will need to provide up-front disclosures to consumers, allow consumers to opt-out, handle consumer requests to produce or delete personal information, and guard against any perceived discrimination against consumers that exercise rights under the CCPA.

The company will also need to review contracts with third-party service providers and vendors to ensure it can comply with the CCPA. For example, if a third-party cloud service will be storing personal information, the company will want to verify that its contract allows it to assemble and produce that information within statutory deadlines if requested by a consumer.

At least you have some time!

The good news is that the CCPA includes a grace period until July 1, 2020 before the California Attorney General can bring enforcement actions. Thus, Arizona businesses that may have ignored the quirky California privacy law to this point have a window to bring their operations into compliance. However, Arizona companies that may need to comply with the CCPA should consult with counsel as soon as possible to begin the process. The attorneys at Ryley Carlock & Applewhite are ready to help you analyze your risk and comply with the CCPA.

Copyright © 2020 Ryley Carlock & Applewhite. A Professional Association. All Rights Reserved.

Learn more about the California Consumer Privacy Act (CCPA) on the National Law Review Communications, Media & Internet Law page.

Venmo’ Money: Another Front Opens in the Data Wars

When I see stories about continuing data spats between banks, fintechs and other players in the payments ecosystem, I tend to muse about how the more things change the more they stay the same. And so it is with this story about a bank, PNC, shutting off the flow of customer financial data to a fintech, in this case, the Millennial’s best friend, Venmo. And JP Morgan Chase recently made an announcement dealing with similar issues.

Venmo has to use PNC’s customer’s data in order to allow (for example) Squi to use it to pay P.J. for his share of the brews.  Venmo needs that financial data in order for its system to work.  But Venmo isn’t the only one with a mobile payments solution; the banks have their own competing platform called Zelle.  If you bank with one of the major banks, chances are good that Zelle is already baked into your mobile banking app.  And unlike Venmo, Zelle doesn’t need anyone’s permission but that of its customers to use those data.

You can probably guess the rest.  PNC recently invoked security concerns to largely shut off the data faucet and “poof”, Venmo promptly went dark for PNC customers.  To its aggrieved erstwhile Venmo-loving customers, PNC offered a solution: Zelle.  PNC subtly hinted that its security enhancements were too much for Venmo to handle, the subtext being that PNC customers might be safer using Zelle.

Access to customer data has been up until now a formidable barrier to entry for fintechs and others whose efforts to make the customer payment experience “frictionless” have depended in large measure on others being willing to do the heavy lifting for them.  The author of Venmo article suggests that pressure from customers may force banks to yield any strategic advantage that control of customer data may give them.  So far, however, consumer adoption of mobile payments is still miniscule in the grand scheme of things, so that pressure may not be felt for a very long time, if ever.

In the European Union, the regulators have implemented PSD2 which forces a more open playing field for banking customers. But realistically, it can’t be surprising that the major financial institutions don’t want to open up their customer bases to competitors and get nothing in return – except a potential stampede of customers moving their money. And some of these fintech apps haven’t jumped through the numerous hoops required to be a bank holding company or federally insured – meaning unwitting consumers may have less fraud protection when they move their precious money to a cool-looking fintech app.

A recent study by the Pew Trusts make it clear that consumers are still not fully embracing mobile for any number of reasons.  The prime reason is that current mobile payment options still rely on the same payments ecosystem as credit and debit cards yet mobile payments don’t offer as much consumer protection. As long as that is the case, banks and fintechs and merchants will continue to fight over data and the regulators are likely to weigh in at some point.

It is not unlike the early mobile phone issue when one couldn’t change mobile phone providers without getting a new phone number – that handcuff kept customers with a provider for years but has since gone by the wayside. It is likely we will see some sort of similar solution with banking details.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on fintech & banking data, see the National Law Review Financial Institutions & Banking law page.

Million-Dollar Settlement of Billion-Dollar Claim Found Reasonable in Light of Due Process Problems Posed By Disproportionate Damages

Another court has observed that a billion-dollar aggregate liability under the TCPA likely would violate due process, adopting the Eighth Circuit’s reasoning that such a “shockingly large amount” of statutory damages would be “so severe and oppressive as to be wholly disproportionate[] to the offense and obviously unreasonable.”

In Larson v. Harman-Mgmt. Corp., No. 1:16-cv-00219-DAD-SKO, 2019 WL 7038399 (E.D. Cal. Dec. 20, 2019),  the Eastern District of California preliminarily approved a settlement proposal that represents less than 0.1% of potential statutory damages. Like the Eighth Circuit decision that we discussed previously, both courts observed that several uncertainties exist as to whether the plaintiffs can succeed in proving certain legal issues, such as whether consent was provided and whether an ATDS was used.

The Larson case exposed the defendants to TCPA liability for allegedly sending 13.5 million text messages without prior express consent as part of a marketing program called the “A&W Text Club.” After extensive discovery and motion practice, the parties proposed a settlement that would have the defendants deposit $4 million into a settlement fund that in turn distributes $2.4 million to class members who submit a timely, valid claim.

The court preliminarily approved the proposed settlement, observing that its terms demonstrated “substantive fairness and adequacy.” As a preliminary matter, it found, “[i]t is well-settled law that a cash settlement amounting to only a fraction of the potential recovery does not per se render the settlement inadequate or unfair.” Concerned that calculating damages based on $500 per message under 47 U.S.C. § 227(b)(3)(B) would violate the Due Process Clause, it agreed that the conduct of the defendant (sending over 13.5 million messages) was not persistent or severely harmful to the 232,602 recipients to warrant the billion-dollar judgment.

While $4 million represents less than 0.1% of the theoretical aggregate damages, “the value of the settlement is intertwined with the risks of litigation.” Here, in addition to the uncertainty about whether the “A&T Text Club” program uses an ATDS, “several risks are present, including . . . whether the plaintiff can maintain the action as a class action, . . . and whether the plaintiff’s theories of individual and vicarious liability can succeed.” The proposed settlement amount was found to strike the appropriate balance as it would likely result in each class member receiving $52 to $210 for each message if 5% to 20% of the class submit timely claims.

Although the case was only at the preliminary approval stage, this decision again illustrates that at least some courts recognize the due process problem posed by disproportionate aggregate damages and do not reject settlements simply because they provide some fraction of the theoretical aggregate damages available under a given statute.

©2020 Drinker Biddle & Reath LLP. All Rights Reserved

Escalated Tension with Iran Heightens Cybersecurity Threat Despite Military De-Escalation

The recent conflict between the United States and Iran has heightened America’s long-time concern of an imminent, potentially lethal Iranian cyber-attack on critical infrastructure in America.   Below, is the latest information including the United States Government’s analysis on the current standing of these threats as of January 8, 2020. 

CISA Alert

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Alert (AA20-006A) in light of “Iran’s historic use of cyber offensive activities to retaliate against perceived harm.”  In general, CISA’s Alert recommends two courses of action in the face of potential threats from Iranian actors: vulnerability mitigation and incident preparation.  The Alert specifically instructs organizations to increase awareness and vigilance, confirm reporting processes and exercise organizational response plans to prepare for a potential cyber incident.  CISA also suggests ensuring facilities are appropriately staffed with well-trained security personnel who are privy to the tactics of Iranian cyber-attacks.  Lastly, CISA recommends disabling unnecessary computer ports, monitoring network, and email traffic, patching externally facing equipment, and ensuring that backups are up to date.

Iranian Threat Profile

CISA asserts that Iranian cyber actors continually improve their offensive cyber capabilities. These actors are also increasingly willing to engage in destructive, kinetic, and even lethal cyber-attacks.  In the recent past, such threats have included disruptive cyber operations against strategic targets, including energy and telecommunications organizations. There has also been an increased interest in industrial control systems (such as SCADA) and operational technology (OT).  Refer to CISA’s Alert and the Agency’s “Increased Geopolitical Tensions and Threats” publication for specific Iranian advanced persistent threats to the nation’s cybersecurity.

Imminence of an Iranian Cyber-attack

While CISA urges vigilance and heightened prudence as it pertains to cybersecurity, DHS has been clear that there is “no information indicating a specific, credible threat to the Homeland.”  Nevertheless, the same National Terrorism Advisory System Bulletin publication (dated January 4, 2020) warns that Iran maintains a robust cyber program. This program can carry out attacks with varying degrees of disruption against U.S. critical infrastructure. The bulletin further states that “an attack in the homeland may come with little to no warning.”  There is also a concern that homegrown violent extremists could capitalize on the heightened tensions to launch individual attacks.  With the ongoing tension, it is unlikely that the imminence of an Iranian cyber-attack will dissipate in the near term.

Implications

It is vital for businesses, especially those deemed critical infrastructure, to stay apprised of new advances on these matters.  Given that the Alert calls for organizations to take heightened preventative measures, it is imperative that critical infrastructure entities revisit their cybersecurity protocols and practices and adjust them accordingly.  A deeper understanding of the organizational vulnerabilities in relation to this particular threat will be imperative.

© 2020 Van Ness Feldman LLP

For more on cybersecurity, see the Communications, Media & Internet section of the National Law Review.

SEO for Law Firms in 2020 with John McDougall, Part 1: How to Hit a Moving Target with Bounce Rate, LSI Keywords, and Deep Content

SEO is a moving topic–especially for law firms who also deal with frequently changing legal developments.  To help legal marketers stay on top of the moving targets of SEO, litigation, and regulatory changes, we spoke with John McDougall of McDougall Interactive. Mr. McDougall has recently authored Content Marketing and SEO for Law Firms and will be holding a free webinar on January 15th to discuss the most vital SEO changes legal marketers should keep in mind for 2020.

The following is the first installment of a two-part series on law firm SEO trends and best practices for 2020:

NLR:  What SEO changes do you think provide the most opportunities for savvy legal marketers?

JM:  Google is looking for experts and experts naturally use language that Google’s latest algorithms can pick up on. With the recent BERT update, Google improved its understanding of natural language, and they describe BERT as their “biggest leap forward in the past five years.”

NLR:  Yes, and law firms are always trying to position their attorneys as experts, as the go-to leaders and experts in their particular area of legal expertise.  Can you discuss some strategies for legal marketing professionals who work with attorneys, and how they can help attorneys write with SEO in mind, or translate their content so it is more SEO friendly?

JM:  It helps if attorneys and ghostwriters who write for law firms use keyword tools like Ubersuggest and SEMrush, but they are just a starting point. They also need to write conversationally and with the user in mind, rather than overly fixating on the search engines.

Writing longer in-depth content that is not too stiff and has been corrected for grammar and spelling issues will outrank a very long page that has been robotically stuffed with keywords. Using a tool like Grammarly can help with the basics.

NLR:  In your book, you discuss the need to add related keywords, or LSI and topic clusters.  Can you explain and provide examples of how related keywords, topical clusters or LSI apply to legal marketing?

JM: LSI (Latent Semantic Indexing) Keywords are conceptually related terms that search engines use to deeply understand the content on a webpage.

Example: If you want to rank for “how to file a trademark”, you can use Google auto suggest to find related terms. As you type into your browser bar, you see something like this:

image1

Google and other search engines used to figure out a page’s topic based 100% on the keywords they found on the page.   In 2020, Google is more focused on figuring out a page’s overall topic. SEMrush has a great tool (see below) that builds a mind map when you give it what topic you want to write about.

NLR:  You highlighted bounce rate as a critical metric; however, how do law firm websites balance design and lowering the bounce rate while simultaneously  providing readers with the specific information they’re looking for (like a change in the minimum wage rate or a relatively straightforward answer to a legal question, like when a law goes into effect, etc.) How do you make law firm website pages stickier?

JM:  It is ok if some pages, like a minimum wage rate change page, have a high bounce rate. Google is smart enough to know the goal of the page. With that said, law firm marketers would be wise to monitor the bounce rate of at least their most visited pages.

image2
Using related keywords and related sub topics is essential for covering a topic deeply.
Image from the SEMRush mindmap tool.

Any webpage can be improved by making it load faster, have a clearer value proposition, a better headline, better writing in general, higher quality images and links to other related pages. Usersthink.com, Usertesting.com, and Hotjar.com are a few of the tools I will discuss on the webinar for increasing stickiness and conversions.

NLR:  You discuss creating deep content—what does that mean?  How long should an article or blog post be – should pages be 500 words, for example?  

JM:  If you search for how to file a trademark, many of the top ten results are well over 1,000 words. Gerben Law has a nice page on trademarks that is about 1,500 words. Not all your content has to be that long but if the top 5 results for your topic are 1,000 plus words, you may need to test increasing your webpages’ depth.

NLR:  Many lawyers view law firm websites as a sales tool, but you discuss how to “use the opportunity to focus on your user’s needs, as opposed to your own sales pitch.” What does that look like in execution? Can you give us an example?  Aren’t all effective webpages supposed to have some sort of ‘call to action’?

JM: The Gerben trademark page gives information away fairly freely and deeply (using related keywords and subtopics) but it also has a subtle call to action at the end: If you are unsure about how to file a trademark, our trademark attorneys are happy to talk with you about the services we offer.

Create marketing that people will love and engage with and you are on the right track.

 

Thanks, John and we look forward to part two of the series on law firm SEO trends and best practices for 2020 tomorrow: Legal Marketing and SEO Trends for 2020 Part 2: Dwell Time, EAT and Law Firm Branding.  Additionally, how law firm branding plays a key role in connecting Google’s algorithm changes with an effective strategy of positioning a law firm’s attorneys as the go-to experts in their field.

Register for the January 15th complimentary webinar:  How to Develop an Effective Law Firm Content Marketing and SEO Action Plan for 2020.

Receive a sample chapter of John’s new book Content Marketing and SEO for Law Firms.

 

Copyright ©2020 National Law Forum, LLC

ARTICLE BY Jennifer Schaller of  The National Law Review / The National Law Forum LLC.
More on marketing for law firms in the Law Office Management section of the National Law Review.