Category: cybersecurity

Six Tips for Selecting the Right CRM System

Before deciding on a new CRM, follow these steps to select the right CRM system that meets your requirements, enhances adoption, offers value to your users – and can provide a return on your investment.

Research estimates that up to 70% of CRM systems fail to meet expectations – and a failed CRM implementation can be extremely costly, not just in terms of the financial expense, but also because of the costs in lost time – and credibility. Even more impactful: you don’t often get a second chance at CRM success. This means that it’s critical to select the right CRM system the first time.

The good news is CRM success is more than possible. If you simply follow a few critical steps before and during the CRM selection process, you can ensure that the system you select will help you achieve your organization’s goals, enhance adoption and provide value to your users – and deliver a return on your technology investment.

Tip 1: Problems First, Then Products

When attempting to successfully select and implement CRM software, it’s essential to focus on people and processes first, products second. Too many people immediately rush out to find potential vendors, so they can set up demonstrations of the most popular CRM software.

While it’s easy to get caught up in the shiny bells and whistles of a good CRM demo, it’s important to resist the temptation to dive into features and functions too soon without first taking the time to gain a real understanding of your organizational and user needs.

Tip 2: Assess Your Needs

Organizations buy CRM software for a number of reasons – but each organization is unique. To provide real value and ROI, before making the purchase, you have to understand what you are trying to accomplish.

Start by putting together a list of the key reasons you think you need a CRM.

  • Are you trying to communicate more effectively with clients and prospects?
  • Manage and evaluate the ROI of events or sponsorships?
  • Track and enhance business development efforts?
  • Help the organization be more efficient?
  • Increase business and revenue?

After assessing your organization’s needs, you may discover that you have more goals than you first thought.

If this is the case, it will be important to prioritize the goals. Don’t try to boil the ocean. If you try to tackle too many things at once, especially during the initial rollout, you will be less likely to succeed. Instead, assign your goals to a timeline based on importance and value to users. For the initial implementation, set a few relevant goals, achieve those initial successes, communicate the successes – and repeat.

Making your users part of the process up front will also make them more likely to adopt the software later.

Once you understand your organization’s unique needs and requirements, it’s time to talk to your users. One of the biggest frustrations we hear from clients is a lack of CRM adoption. This isn’t surprising since, in many of these organizations, system users were not involved during the selection process. To get people to buy in and use software, it has to provide value not only to the organization, but to the users individually. The challenge is that different people define value differently, which means different groups or types of users will have their own unique needs and requirements. That’s why it’s so important to get them involved early. Making your users part of the process up front will also make them more likely to adopt the software later.

To gather user input, consider creating focus groups to provide feedback on product features and functions. You may even want to meet with some of the naysayers individually to start encouraging their participation and head off future roadblocks. Finally, be sure to involve key stakeholders in system demonstrations to help evaluate the software and solicit their feedback before proceeding with system selection. In fact, it’s beneficial to have users involved throughout the rollout to offer ideas on how to improve the CRM implementation for everyone.

Tip 3: Evaluate the Systems and Providers

After gathering all the relevant information, it’s important to fully document your requirements and make sure you are well-prepared before reaching out to providers. The best way to do this is with what I call a ‘demo roadmap.’ This is a comprehensive two- to three-page document that sets out all of the details for the demonstrations along with all the needs and requirements gathered during the needs assessment and the features and functionality that you want to see.

Your ‘roadmap’ will guide the CRM providers so that they show you the key system attributes that are critical to the success of your organization and users and also helps to prevent the demonstrations from becoming a ‘dog and pony show.’ Your roadmap should be shared with the CRM providers well in advance of the demonstrations to give them time to adequately prepare.

Some larger organizations may also find it beneficial to take an additional step and create a much more detailed, formal RFP document. This request for proposals would be sent to potential CRM providers to solicit answers to a number of questions before scheduling any demos. The formal responses allow you to evaluate and compare the vendors and their system features and pricing in advance of the demonstrations. Many organizations use the RFP to limit the demonstrations to only the potential providers who are able to meet the organization’s budget and other requirements.

Once you have identified a few CRM systems that meet your requirements, you can begin the vetting process to select the right CRM system for your organization.

Tip 4: Direct the Demonstrations

It’s essential that the CRM demonstrations allow you to make an informed decision and adequately and accurately compare systems, features and pricing. It’s also important at this phase to again involve your users. CRM systems have a reputation for being notoriously difficult to implement, and the last thing you want is to be responsible for unilaterally selecting a system that then doesn’t meet user expectations. This can also help to make them more invested in system success.

It’s also important to structure the participation and demonstrations so you maximize the benefits.

First, it can be helpful to thin the field of participating CRM providers to a manageable number.

Next, select a group of users to participate. It can be good to choose users from different groups such as professionals and administrative, so you get some different perspectives.

Participants selected must have the time and inclination to participate and must be willing to sit through all of the demonstrations so they can accurately compare all the systems.

Finally, you may want to prepare the users by sharing the requirements and/or roadmap with them and asking them to be prepared to ask any questions they may have.

You should also prepare the providers. First, let them know how much time they have. A typical CRM demonstration can take between one and two hours.

Also let them know who will be participating and what their needs and interests are. If you have professional or executive users who have limited time for demonstrations, it can be helpful to direct the providers to spend the first 30 minutes to an hour of the demo on the features that are most relevant to those users.

Then they can step out and the rest of the time can be spent showing you the more detailed back-end functionality. Finally, be sure to leave at least 15 minutes at the end of the demonstrations for questions.

Tip 5: Check References

CLIENTSFirst CRM References Checklist

Before making the final commitment to a CRM system, it’s important to make sure you go through a thorough vetting process. It’s important to make sure you get all the information you need before finalizing your purchase.

First, ask the CRM vendor for references you can speak with. But don’t stop there. Talk to other companies or organizations in your industry who have used the software. Be sure to ask open-ended questions that will help you learn not only about the software, but also about other important areas. A few good questions to ask include:

  • Would you recommend the software?
  • Has the system performed as expected?
  • What were the biggest challenges with the implementation?
  • Were there any unexpected costs or delays?
  • What do you wish you had done differently during the selection and implementation?
  • How was the service after the sale?

For a comprehensive list of good questions to ask before finalizing the sale, check out our CLIENTSFirst CRM Reference Checking Questions Document.

Tip 6: Final Selection Steps

Once you have selected the right CRM system for your organization, there are still a few additional important details that require attention. You will want to have a formal scoping call with the provider to be able to accurately gauge the actual cost. The final price can vary depending on a number of variables including:

  • The number and types of licenses
  • Additional modules or software needed
  • Professional services to implement
  • Ongoing annual subscription or maintenance costs
  • Any proposed integrations
  • The types of training and materials
  • Data conversion and/or quality

If the price is an issue with your system of choice, there are also options. First, there may be room for negotiation. Alternatively, you can do a phased rollout to spread the costs over time. Some organizations prefer to start the rollout with Marketing and power users and then roll out to a small pilot group. Then additional groups can be added in later phases over time.

Finally, remember that in any sale, you are not finished until the paperwork is done. After the price is agreed upon, you will need to review the contract or agreement. While these documents may look official and final, in fact they are often open to negotiation, so it can be beneficial to modify some of the contract terms.

For instance, if the software is new to the market, you may be able to get a discount or arrange a beta test at a reduced rate.

Additionally, instead of paying the entire invoice up front, you can often negotiate payment terms that are stepped over time based on the satisfactory completion of key deployment steps. This can enhance your chances of CRM success by aligning your CRM vendor’s success with yours.

One Last Tip: Don’t Do It Alone

Selecting the right CRM system can be a daunting process. Most firms have never been through the process before – and few want to repeat it.

Article By Christina R. Fritsch JD of CLIENTSFirst Consulting

For more business of law legal news, click here to visit the National Law Review.

© Copyright 2022 CLIENTSFirst Consulting

Hackers Go Phishing in Beeple’s Deep Pool of Twitter Followers

“Stay safe out there, anything too good to be true is a … scam.” Beeple, a popular digital artist, tweeted to his followers, addressing the phishing scam that took place on May 23, 2022, targeting his Twitter account. The attack reportedly resulted in a loss of more than US$400,000 in cryptocurrency and NFTs, stolen from the artist’s followers on the social media website.

After hacking into Beeple’s Twitter account, perpetrators tweeted links from the artist’s page, promoting a fake raffle for unique art pieces. The links would reportedly take the user to a website that would drain the user’s cryptocurrency wallet of their digital assets.

Phishing scams for digital assets, including NFTs or non-fungible tokens, have steadily increased, with funds as large as $6 million being stolen. Various jurisdictions have adopted privacy and security laws that require companies to adopt reasonable security measures and follow required cyber incident response protocols. A significant part of these measures and protocols is training for employees in how to detect phishing scams and other hacking attempts by bad actors. This incident is a reminder to consumers to exercise vigilance, watch for red flags and not click on links without verifying the source.

The remaining summaries of news headlines are separated by region for your browsing convenience. 

UNITED STATES

Relaxed Deaccessioning COVID-19 Exemptions Expire

The global COVID-19 pandemic brought many changes, including dire financial consequences of the shutdowns for museums. In April 2020, the Association of Art Museum Directors (AAMD) made a decision to ease the rules that dictate how museums may use proceeds from art sales. Until April 2022, museums were permitted to use the funds for “direct care of collections” rather than to procure new artworks for their collections.

This relaxed policy and some of the museums that followed it met with backlash on more than one occasion; others, however, advocate for its continuation, citing considerations of diversity and inclusion. Some further argue that a policy born out of financial desperation should be continued to provide museums with the means to overcome any future financial issues that may arise.

Given that “direct care” is vague and open to interpretation, opponents of the relaxed rules counter giving museums such latitude to decide on the use of the proceeds, as it can lead to abuses and bad decisions. While AAMD has returned to its pre-pandemic regulations, and museums have followed suit, it appears that the public debate around deaccessioning is far from over.

Inigo Philbrick Sentenced to a Prison Term

Former contemporary art dealer Inigo Philbrick was sentenced by a federal court in New York to serve seven years in prison for a “Ponzi-like” art fraud, said to be one of the most significant in the history of the art market, with more than an estimated US$86 million in damages. Philbrick stood accused of a number of bad acts, including forging signatures, selling shares in artworks he did not own and inventing fictitious clients.

New York Abolishes Auction House Regulations

As the U.S. government is studying whether the art market requires further regulations to increase transparency and to combat money laundering, New York City repealed its local law that required auctioneers to be licensed and required disclosures to bidders, including whether an auction house had a financial stake in the item being auctioned. While the abolition of the regulation was ostensibly to improve the business climate after the pandemic, some commentators note that the regulations were outdated and not serving their purpose in any event. As an illustration, a newcomer to an auction will likely struggle to understand the garbled pre-action announcements or their significance. Whether the old regulations are to be replaced with new, clearer rules remains to be seen.

EUROPE

Greece and UK to Discuss Rehoming of Displaced Parthenon Marbles

The Parthenon marbles, also known as the Elgin marbles, have been on display in London’s British Museum for more than 200 years. These objects comprise 15 metopes, 17 pedimental figures and an approximately 250-foot section of a frieze depicting the birthday festivities of the Greek goddess Athena. What museum goers might not know is that these ancient sculptures were taken from the Acropolis in Greece in 1801 by Lord Elgin.

Previously, the British government, seeking to retain the sculptures, relied on the argument that the objects were legally acquired during the Ottoman Empire rule of Greece. However, for the first time, the UK has initiated formal talks with Greece to discuss repatriation of the Parthenon sculptures. These discussions are expected to influence future intergovernmental repatriation negotiations.

ASIA

Singapore High Court Asserts Jurisdiction over NFTs after Ruling Them a Digital Asset

The highest court in Singapore has granted an injunction to a non-fungible token (NFT) investor, Janesh Rajkumar, who sought to stop the sale of an NFT that once belonged to him and was used as collateral for a loan. The subject NFT from the Bored Ape Yacht Club Series is a rarity, as it depicts the only avatar that wears a beanie. Rajkumar now is seeking to repay the loan and have the NFT restored to his cryptocurrency wallet. The loan agreement specified that Rajkumar would not relinquish ownership of the NFT, and should he be unable to repay the loan in a timely manner, an extension would be granted. Instead of granting Rajkumar an extension, the lender, who goes by an alias “chefpierre,” moved to sell the NFT. The significance of the Singapore court’s decision is two-fold: the court has (1) recognized jurisdiction over assets cited in the decentralized blockchain, and (2) allowed for the freezing order to be issued via social media platforms.

THE MIDDLE EAST

Illegal Trading Leads to Raiding of Antique Dealer by the Israeli Authorities

A recent raid on an unauthorized antiquities dealer in the city of Modi’in by the Israel Antiquities Authority recovered hundreds of artifacts of significant historical value, including jewelry, a bronze statue and approximately 1,800 coins. One the coins is a nearly 2,000-year-old silver shekel of great historical significance. The coin is engraved with the name Shimon, leader of the 132–136 C.E. Bar Kokhba revolt.

Investigations are ongoing to determine where the antiquities were obtained. The Antiquities Robbery Prevention Unit intends to charge the dealer and their suppliers upon obtaining this information.

Article By Jana S. Farmer and Meenka Maharaj of Wilson Elser Moskowitz Edelman & Dicker LLP

For more entertainment, art, and sports news, click here to visit the National Law Review.

© 2022 Wilson Elser

Thailand’s Personal Data Protection Act Enters into Force

On June 1, 2022, Thailand’s Personal Data Protection Act (“PDPA”) entered into force after three years of delays. The PDPA, originally enacted in May 2019, provides for a one-year grace period, with the main operative provisions of the law originally set to come into force in 2020. Due to the COVID-19 pandemic, however, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022. 

The PDPA mirrors the EU General Data Protection Regulation (“GDPR”) in many respects. Specifically, it requires data controllers and processors to have a valid legal basis for processing personal data (i.e., data that can identify living natural persons directly or indirectly). If such personal data is sensitive personal data (such as health data, biometric data, race, religion, sexual preference and criminal record), data controllers and processors must ensure that data subjects give explicit consent for any collection, use or disclosure of such data. Exemptions are granted for public interest, contractual obligations, vital interest or compliance with the law.

The PDPA applies both to entities in Thailand and abroad that process personal data for the provision of products or services in Thailand. Like the GDPR, data subjects are guaranteed rights, including the right to be informed, access, rectify and update data; restrict and object to processing; and the right to data erasure and portability. Breaches may result in fines between THB500,000 (U.S.$14,432) and THB5 million, plus punitive compensation. Certain breaches involving sensitive personal data and unlawful disclosure also carry criminal penalties including imprisonment of up to one year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth

For more communications, media & internet news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Small Businesses Don’t Recognize Risk of Cyberattack Despite Repeated Warnings

CNBC surveys over 2,000 small businesses each quarter to get their thoughts on the overall business environment and their small business’ health. According to the latest CNBC/SurveyMonkey Small Business Survey, despite repeated warnings by the Cybersecurity and Infrastructure Security Agency and the FBI that U.S.- based businesses are at an increased risk of a cyber-attack following Russia’s invasion of Ukraine, small business owners do not believe that it is an actual risk that will affect them, and they are not prepared for an attack. The latest survey shows that only five percent of small business owners reported cybersecurity to be the biggest risk to their company.

What is unfortunate, but not surprising, is the fact that this is the same percentage of small business owners who recognized a cyber attack as the biggest risk a year ago. There has been no change in the perception among business owners, even though there are repeated, dire warnings from the government. Also unfortunate is the statistic that only 33 percent of business owners with one to four employees are concerned about a cyber attack this year. In contrast, 61 percent of business owners with more than 50 employees have the same concern.

According to CNBC, “this general lack of concern among small business owners diverges from the sentiment among the general public….In SurveyMonkey’s polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.” CNBC’s conclusion is that there is a disconnect between business owners’ appreciation of how much customers care about data security and that “[s]mall businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.” Statistics show that threat actors are targeting small to medium-sized businesses to stay under the law enforcement radar. With such a large target on their backs, business owners may wish to make cybersecurity a priority. It’s important to keep customers.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

Article By Kyle R. Freeny, Linda Ricci, Jena M. Valdetero, and Brittany M. Fisher of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Implementing Effective Data Security

Autonomous vehicles can be vulnerable to cyber attacks, including those with malicious intent. Identifying an appropriate framework with policies and procedures will help mitigate the risk of a potential attack.

The National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to reduce the likelihood of an attack’s success and mitigate ramifications if one does occur. NHTSA’s Cybersecurity Framework is structured around the five principles of identify, protect, detect, respond and recover, and can be used as a basis for developing comprehensive data security policies.

NHTSA goes on to describe how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This [analysis] involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.

Other industry associations are also weighing in on best practices, including the Automotive Information Sharing and Analysis Center’s (Auto-ISAC) seven Key Cybersecurity Functions and, from a technology development perspective, SAE International’s J3061, a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems to help AV companies “[minimize] the exploitation of vulnerabilities that can lead to losses, such as financial, operational, privacy, and safety.”

Article By Adam J. Brody, John J. Rolecki, Jeffrey M. Stefan II, Andrea M. Gumushian, and Justin M. Wolber at Varnum LLP

For more transportation legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

The Metaverse: A Legal Primer for the Hospitality Industry

The metaverse, regarded by many as the next frontier in digital commerce, does not, on its surface, appear to offer many benefits to an industry with a core mission of providing a physical space for guests to use and occupy. However, there are many opportunities that the metaverse may offer to owners, operators, licensors, managers, and other participants in the hospitality industry that should not be ignored.

What is the Metaverse?

The metaverse is a term used to describe a digital space that allows social interactions, frequently through use of a digital avatar by the user. Built largely using decentralized, blockchain technology instead of centralized servers, the metaverse consists of immersive, three-dimensional experiences, persistent and traceable digital assets, and a strong social component. The metaverse is still in its infancy, so many of the uses for the metaverse remain aspirational; however, metaverse platforms have already seen a great deal of activity and commerce. Meanwhile, technology companies are working to produce the next-generation consumer electronics that they hope will make the metaverse a more common location for commerce.

The Business Case for the Hospitality Industry

The hospitality industry may find the metaverse useful in enhancing marketing and guest experiences.

Immersive virtual tours of hotel properties and the surrounding area may allow potential customers to explore all aspects of the property and its surroundings before booking. Operators may also add additional booking options or promotions within the virtual tour to increase exposure to customers.

Creating hybrid, in-person and remote events, such as conferences, weddings, or other celebrations, is also possible through the metaverse. This would allow guests on-site to interact with those who are not physically present at the property for an integrated experience and possible additional revenue streams.

Significantly, numerous outlets have identified the metaverse as one of the top emerging trends in technology. As its popularity grows, the metaverse will become an important location for the hospitality industry to interact with and market to its customer base.

Legal Issues to Consider

  1. Select the right platform for you. There are multiple metaverse platforms, and they all have tradeoffs. Some, including Roblox and Fortnite, offer access to more consumers but generally give businesses less control over content within the programs. Others, such as Decentraland and the Sandbox, provide businesses with greater control but smaller audiences and higher barriers to entry. Each business should consider who its target audience is, what platform will be best to reach that audience, and its long term metaverse strategy before committing to a particular platform.
  2. Register your IP. Businesses should consider filing trademark applications covering core metaverse goods or services and securing any available blockchain domains, which can be used to facilitate metaverse payments and to direct users to blockchain content, such as websites and decentralized applications. Given the accelerating adoption of blockchain domains along with limited dispute resolution recourse available, we strongly encourage businesses to consider securing intellectual property rights now.
  3. Establish a dedicated legal entity. Businesses may want to consider setting up a new subsidiary or affiliate to hold digital assets, shield other parts of their business from metaverse-related liability, and isolate the potential tax consequences.
  4. Take custody of digital assets. Because of their digital character, digital assets such as cryptocurrency, which may be the primary method of payment in the metaverse, are uniquely vulnerable to loss and theft. Before acquiring cryptocurrency, businesses will need to set up a secure blockchain wallet and adopt appropriate access and security controls.
  5. Protect and enforce your IP. The decentralized nature of the metaverse poses a significant challenge to businesses and intellectual property owners. Avenues for enforcing intellectual property rights in the metaverse are constantly evolving and may require multiple tools to stop third-party infringements.
  6. Reserve metaverse rights. Each Business that licenses its IP, particularly those that do so on a geographic or territorial basis, should review existing license agreements to determine what rights, if any, its licensees have for metaverse-related uses. Moving forward, each brand owner is encouraged to expressly reserve rights for metaverse-related uses and exercise caution before authorizing any third party to deploy IP to the metaverse on a business’ behalf.
  7. Tax matters. Attention needs to be paid to how the tax law applies to metaverse transactions, despite the current tax law not fully addressing the metaverse. This is particularly the case for state and local sales and use, communications, and hotel taxes.

Ready to Enter?

As we move into the future, the metaverse appears poised to provide a tremendous opportunity for the hospitality industry to connect directly with consumers in an interactive way that was until recently considered science fiction. But like every new frontier, technological or otherwise, there are legal and regulatory hurdles to consider and overcome.

Article By Charles B. Ferguson, Jr. and Kimberly A. Wachen of ArentFox Schiff LLP

For more technology legal news, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

Article By David A. Zetoony of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Alabama Enacts New Telemedicine Law

Alabama Governor Kay Ivey recently signed SB 272 into law, setting forth telemedicine practice standards and abolishing Alabama’s previous “special purpose license” that allowed physicians licensed in other states to practice across state lines into Alabama. The law is effective July 11, 2022.

The law creates a new article in the Code of Alabama (Sections 34-24-701 through 34-24-707 of Chapter 24, Title 34). The statutory language is lengthy, but the key provisions are summarized below.

Medical License

Unless the physician meets an exception to licensure (e.g., peer-to-peer consultations, irregular or infrequent services), a physician must obtain either a full Alabama medical license or a license via the Interstate Medical Licensure Compact in order to provide “telehealth medical services” to a patient located in Alabama.

  • Telehealth medical services means “[d]igital health, telehealth, telemedicine, and the applicable technologies and devices used in the delivery of telehealth. The term does not include incidental communications between a patient and a physician.
  • The term “irregular or infrequent” services refers to “telehealth medical services” occurring less than 10 days in a calendar year or involving fewer than 10 patients in a calendar year.

Defined Terms and Allowable Modalities

  • Telehealth is defined as “[t]he use of electronic and telecommunications technologies, including devices used for digital health, asynchronous and synchronous communications, or other methods, to support a range of medical care and public health services.”
  • Telemedicine is defined as “[a] form of telehealth referring to the provision of medical services by a physician at a distant site to a patient at an originating site via asynchronous or synchronous communications, or other devices that may adequately facilitate and support the appropriate delivery of care.” The term includes digital health, but does not include incidental communications between a patient and a physician.
  • Digital Health is defined as “[t]he delivery of health care services, patient education communications, or public health information via software applications, consumer devices, or other digital media.”
  • Asynchronous is defined as “[t]he electronic exchange of health care documents, images, and information that does not occur in real time, including, but not limited to, the collection and transmission of medical records, clinical data, or laboratory results.”
  • Synchronous is defined as “[t]he real-time exchange of medical information or provision of care between a patient and a physician via audio/visual technologies, audio only technologies, or other means.”

Physician-Patient Relationship

A physician-patient relationship may be formed via telehealth without a prior in-person exam.

Telemedicine Prescribing of Medications and Controlled Substances

A practitioner may prescribe a legend drug, medical supplies, or a controlled substance to a patient via telehealth. However, a prescription for a controlled substance may only be issued if:

  1. The telehealth visit includes synchronous audio or audio-visual communication using HIPAA compliant equipment;
  2. The practitioner has had at least one in-person encounter with the patient within the preceding 12 months; and
  3. The practitioner has established a legitimate medical purpose for issuing the prescription within the preceding 12 months.

In-Person Visit for Unresolved Medical Condition

If a physician or practice group provides telehealth medical services more than 4 times in a 12-month period to the same patient for the same medical condition without resolution, the physician must either see the patient in-person within 12 months or refer the patient to a physician who can provide the in-person care within 12 months. This in-person visit requirement does not apply to the provision of mental health services.

The Alabama Board of Medical Examiners and the Alabama Medical Licensure Commission are currently developing administrative rules in accordance with the new law.

Article By Kristen A. Murphy and Jacqueline N. Acosta of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

SEC Targets Companies Conducting Cryptomining

The SEC recently doubled the size of its Crypto Assets and Cyber Unit.  Since its inception in 2017, the SEC’s Crypto Assets and Cyber Unit has launched more than 80 investigations resulting in over $2 billion in monetary penalties.  With more dedicated investigative attorneys, trial counsel, and fraud analysts, the SEC’s cryptocurrency-related investigations are expected to substantially rise in the months and years ahead.

The tip of the spear will include the areas that the SEC said would be its focus moving forward:

  • crypto asset offerings
  • crypto asset exchanges
  • crypto asset lending and staking products
  • decentralized finance (DeFi) platforms
  • non-fungible tokens (NFTs); and
  • stablecoins

View SEC press release here.

Given the heightened scrutiny, however, even companies outside of the traditional cryptocurrency industry may find themselves subject to enforcement actions and penalties.  For example, the SEC recently announced that it reached a $5.5 million settlement with technology company NVIDIA Corporation for the company’s alleged failure to disclose on its Form 10-Q for fiscal year 2018 that cryptomining was a significant element of its revenue growth. View release here.

NVIDIA is not a cryptocurrency-related company, but rather is a technology company that markets and sells accelerated computing technologies, including graphics processing units (GPUs) for PC gaming, the company’s largest specialized market.  The SEC alleged that, as interest in cryptocurrencies began to increase in 2017, NVIDIA customers increasingly began using gaming GPUs for cryptomining of Ether (ETH), which rose in price from under $10 to nearly $800 between 2017 and 2018.

In its Form 10-Q for fiscal year 2018, despite knowledge (discerned by the SEC from internal company documents and communications) of cryptomining as a significant driver of its GPU sales growth in its gaming division, the SEC alleged that NVIDIA failed to disclose that this growth was largely driven by demand for gaming GPUs to use in cryptomining.  The SEC further alleged that this failure to disclose misled investors about the growth of NVIDIA’s gaming business in violation of Section 17(a)(2) and (3) of the Securities Act of 1933 and the disclosure provisions of the Securities Exchange Act of 1934.

As the SEC steps up its cryptocurrency related investigation and enforcement actions, publicly traded companies must exercise increased diligence in disclosure of activities that touch cryptocurrency assets.   Even internal dialogue about revenues or other disclosable material that touches cryptocurrencies, as happened to NVIDIA, could subject companies to increased scrutiny and significant monetary penalties.

Copyright ©2022 Nelson Mullins Riley & Scarborough LLP
For more articles about cryptomining, visit the NLR Financial Institutions & Banking section.