Category: Internet

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency.  In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Article By Conor O. Duffy of Robinson & Cole LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Congress Grants Five Month Extension for Telehealth Flexibilities

On Tuesday, March 16, 2022, President Biden signed into law H.R. 2471, the Consolidated Appropriations Act, 2022 (“2022 CAA”). This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”). This equates to about a five-month period.

The 2022 CAA extension captures most of the core PHE telehealth flexibilities authorized as part of Medicare’s pandemic response, including the following:

  • Geographic Restrictions and Originating Sites: During the extension, Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home. Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
  • Eligible Practitioners: Occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists will continue to be able to furnish and receive payment for telehealth services as eligible distant site practitioners during the extension period.
  • Mental Health:  In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
  • Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology. This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 2000 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Additionally, the 2022 CAA allocates $62,500,000 from the federal budget to be used for grants for telemedicine and distance learning services in rural areas. Such funds may be used to finance construction of facilities and systems providing telemedicine services and distance learning services in qualified “rural areas.”

Passage of the 2022 CAA is a substantial step in the right direction for stakeholders hoping to see permanent legislative change surrounding Medicare telehealth reimbursement.

Article By Joelle M. Wilson and Laura Little of Polsinelli PC

For more health law legal news, click here to visit the National Law Review.

© Polsinelli PC, Polsinelli LLP in California

Law Firms Respond to Russia’s Invasion of Ukraine: How the Legal Industry & the Public Can Help

On February 21, 2022, Russian President Vladimir Putin ordered ground troops into the eastern Ukrainian provinces of Donetsk and Luhansk. Invading under the guise of establishing independence for the region on February 24, Russia started bombing key points of interest around the country, including the capital city of Kyiv. At the time of writing, the skirmishes remain ongoing, with Russia expanding its invasion force as the days go on.

The ramifications of Russia’s war are widespread. In Ukraine, infrastructural damage is considerable, an estimated 2 million civilians are evacuating or have been driven from their homes. The death toll remains uncertain at this time, but the Ukrainian health ministry estimates that hundreds of citizens have been killed as a result of the violence. Globally, financial markets are in a state of rapid flux, seeing huge rises in inflation, a strained supply chain and plummeting stock prices.

Law firms in the United States and abroad have responded to the conflict by offering pro bono services in anticipation of resultant legal complications and organized means by which money can be donated to Ukrainian humanitarian efforts.

How Have Law Firms Responded to Russia’s Invasion of Ukraine?

In some instances, firms have also closed offices in Ukraine to protect workers, and severed ties with Russian businesses. Law firms that have closed offices in Ukraine include Dentons, CMS and Baker McKenzie, which have closed offices in Kyiv.

“Dentons has established a taskforce to monitor and manage the crisis situation, with a primary focus on protecting our people,”  Tomasz Dąbrowski, CEO of Dentons Europe, told the National Law Review“We are in regular contact with our team in Kyiv and are providing our colleagues and their families with any possible assistance, including transport, relocation and accommodation assistance in the neighboring countries. Furthermore, we have seen a wave of kindness and generosity from our people across Europe, who have volunteered to provide accommodation in their homes for Ukrainian colleagues.  Furthermore, in addition to the financial support our Firm is providing to our Ukrainian colleagues, we have also received financial donations from around the world to help them resettle.”

Many law firms have announced they are closing offices in Russia, including Squire Patton Boggs, Latham & Watkins Freshfields Bruckhaus Deringer, Akin Gump Strauss Hauer & Feld and Morgan Lewis & Bockius, among others. Norton Rose Fulbright announced March 7 that they are winding down their operations in Russia and will be closing their Moscow office as soon as they can, calling Russia’s invasion of Ukraine “increasingly brutal.”

“The wellbeing of our staff in the region is a priority. We thank our 50 colleagues in Moscow for their loyal service and will support them through this transition.”

Norton Rose Fulbright said they “stand unequivocally with the people of Ukraine,” and are taking steps to respond to the invasion.

“Some immediate actions are possible and we are taking them. We are not accepting any further instructions from businesses, entities or individuals connected with the current Russian regime, irrespective of whether they are sanctioned or not. In addition, we continue to review exiting from existing work for them where our professional obligations as lawyers allow. Where we cannot exit from current matters, we will donate the profits from that work to appropriate humanitarian and charitable causes,” the statement read. “We are working with our charitable partners in every region to raise funds to help the people of Ukraine, as well as providing pro bono support to those Ukrainians and others who are being forced to relocate.”

Law firms have also stepped forward to offer pro bono assistance to those affected by the Russian invasion of Ukraine.

Law Firms Offering Pro Bono Assistance to Ukraine

Akin Gump Partner and Pro Bono Practice leader Steven Schulman explained how the legal industry is collaborating and working to provide assistance:

“So what we often do in these crises, we will self organize, [and] say who’s a point person who knows what’s going on, and then we will share information so that again, we’re lightening the load on the legal aid organizations.”

Another law firm offering assistance to Ukraine is  Covington & Burling, which the country hired to help pursue its claim against  Russia at the International Court of Justice (ICJ). Specifically, Ukraine asked the court to order Russia to halt its invasion. Covington filed a claim on behalf of Ukraine to the ICJ.

Nongovernmental organizations (NGOs) are providing emergency aid in Ukraine, as well as in neighboring countries, such as Poland, Hungary, Slovakia and Romania to help people displaced by the war as they come across the border, Mr.Dąbrowski said. These organizations are providing food, water, hygiene supplies and other necessities, and urgent psychological counseling. Specific NGOs on the ground in Ukraine include Mercy CorpsFight for Right, Project HOPEHungarian Helsinki Committee, and  Fundacja Ocalenieamong others.

However, NGOs need cash donations in order to keep providing aid. Mr.Dąbrowski detailed what pro bono work Dentons is doing, and how the firm is supporting NGOs:

“Our Positive Impact team is in touch with numerous NGOs and lawyers from our firm to identify opportunities for pro bono legal advice, mainly in the countries which share a border with Ukraine.  We are already working with NGOs in Poland and Hungary which are helping Ukrainian refugees displaced by the war. We are assisting with issues related to employment law, contracts, establishment of charitable foundations, etc… We are also in discussions with an international relief agency which is looking to set up operations within Ukraine.

While men between the ages of 18 and 60 are currently prohibited from leaving Ukraine, as of March 10, 2022, the conflict has created one of the largest refugee crises within the last few decades.

“We have activated our registered charitable foundation to collect donations from our people around the world to support Ukrainian families – and particularly children –  displaced by the war, including some of our own people from Kyiv.  So far, our colleagues from around the world have donated or pledged close to €300,000,” Mr.Dąbrowski said. “We have already distributed €60,000 of that to eight NGOs in Poland, Hungary and Romania, which are providing emergency aid, food and water, hygiene supplies, transportation, medical and psychological care, shelter and schooling to Ukrainian civilians fleeing from the war”

Concerns with immigration and refugee asylum is the next expected complication. In the short-term, the Department of Homeland Security is prioritizing Temporary Protected Status (TPS) designations for those already in the U.S.

For the public, there are a number of actions to take to support Ukrainians. However, those wishing to help should make sure to do their research before making any donations in order to ensure the funds end up in the right hands.

How Can Members of the Public Help Ukraine?

Possible scam organizations and outreach programs are common during international crises, so it’s important to know the signs of fraudulent charities. Some best practices for providing support include:

  • Giving directly to an organization rather than through shared donation links on social media

  • Being wary of crowdfunding efforts

  • Doing a background check on an organization and its donation claims using Charity WatchGive.org, and Charity Navigator.

Some examples of charitable organizations focused on Ukraine relief include:

Informational resources for those affected are provided below:

Conclusion

Law firms and the public alike have stepped up to offer assistance and financial help to those most affected by the Russian invasion. Law firms cutting ties with Russian businesses and closing offices in Russia shows that the legal industry is standing behind Ukraine as the conflict continues to escalate.

In upcoming coverage, the National Law Review will be writing about how law firms are helping clients handle Russian sanctions, as well as the immigration implications of refugees displaced by the war in Ukraine.

*The quotes and input of interviewees reflect the latest information on the Russian invasion of Ukraine as of March 7, 2022. Readers can find the latest legal news from around the world on The National Law Review’s Global Law page.*

Article By Chandler Ford, Jessica Scheck, and Rachel Popa of the The National Law Review / The National Law Forum LLC

Copyright ©2022 National Law Forum, LLC

Chinese APT41 Attacking State Networks

Although we are receiving frequent alerts from CISA and the FBI about the potential for increased cyber threats coming out of Russia, China continues its cyber threat activity through APT41, which has been linked to China’s Ministry of State Security. According to Mandiant, APT41 has launched a “deliberate campaign targeting U.S. state governments” and has successfully attacked at least six state government networks by exploiting various vulnerabilities, including Log4j.

According to Mandiant, although the Chinese-based hackers are kicked out of state government networks, they repeat the attack weeks later and keep trying to get in to the same networks via different vulnerabilities (a “re-compromise”). One such successful vulnerability that was utilized is the USAHerds zero-day vulnerability, which is a software that state agriculture agencies use to monitor livestock. When the intruders are successful in using the USAHerds vulnerability to get in to the network, they can then leverage the intrusion to migrate to other parts of the network to access and steal information, including personal information.

Mandiant’s outlook on these attacks is sobering:

“APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability. The group also demonstrates a willingness to retool and deploy capabilities through new attack vectors as opposed to holding onto them for future use. APT41 exploiting Log4J in close proximity to the USAHerds campaign showed the group’s flexibility to continue targeting U.S state governments through both cultivated and co-opted attack vectors. Through all the new, some things remain unchanged: APT41 continues to be undeterred by the U.S. Department of Justice (DOJ) indictment in September 2020.

Both Russia and China continue to conduct cyber-attacks against both private and public networks in the U.S. and there is no indication that the attacks will subside anytime soon.

Article By Linn F. Freedman of Robinson & Cole LLP

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

US Crypto Regulatory Enforcement Ramps Up – NFTs Now More in Focus

For the past decade the crypto space has been described as the wild west. The crypto cowboys and cowgirls have innovated and moved the industry forward, despite some regulatory certainty. Innovation always leads regulatory clarity. There’s a new sheriff in crypto town – the US government and its various regulatory agencies. They seem intent on taming the wild west.

According to a recent report, the IRS Has Sent 10,000 Letters on Taxpayer Digital Assets seeking to collect taxes on gains from crypto assets including NFTs. This is no surprise and we have cautioned on this dating back to 2017. While many people have focused on the tax issues with crypto currencies, the IRS is also focusing on NFTs as reported here.

This comes on the heels of another report this week that the SEC is now targeting certain NFT uses. According to the report, the SEC is probing whether NFTs are being utilized to raise money like traditional securities. The SEC has reportedly sent subpoenas related to the investigation and is particularly interested in information about fractional NFTs. As we discussed here, fractionalization is just one of the potential securities law concerns with certain NFT business models. NFTs that represent a right to a revenue stream and NFT presales can also presents issues in some cases.

Other recent regulatory activity relating to NFTs includes the following. The Department of the Treasury published a study on the facilitation of money laundering and terrorist financing through the art trade, including NFTs. See our report on this here.  The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Latvia-based digital asset exchange and designated 57 cryptocurrency addresses (associated with digital wallets) as Specially Designated Nationals (SDNs). These designations appear to be the first time NFTs have been publicly impacted as “blocked property” – as one of the designated cryptocurrency addresses owns non-fungible tokens (NFTs). See our report on this here. A number of NFTs are also being used to facilitate illegal gambling.

In addition to the regulatory issues, the number of NFT-related lawsuits and other legal disputes continues to increase. Many of these disputes relate to IP ownership, IP infringement, failure to apply an clear or enforceable license to the NFT, among others.

Most of these issues are avoidable with proper legal counseling early on.

The use of NFT technology to tokenized and record ownership of physical and digital assets, as well as entitlements (e.g., tickets, access, etc.) is just getting started. We believe this technology will see wide scale adoption across many industries. The vast majority of the NFT business models are legal.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.
For more about cryptocurrency regulations, visit the NLR Cybersecurity, Media & FCC section.

GDPR Privacy Rules: The Other Shoe Drops

Four years after GDPR was implemented, we are seeing the pillars of the internet business destroyed. Given two new EU decisions affecting the practical management of data, all companies collecting consumer data in the EU are re-evaluating their business models and will soon be considering wholesale changes.

On one hand, the GDPR is creating the world its drafters intended – a world where personal data is less of a commodity exploited and traded by business. On the other hand, GDPR enforcement has taken the form of a wrecking ball, leading to data localization in Europe and substitution of government meddling for consumer choice.

For years we have watched the EU courts and enforcement agencies apply GDPR text to real-life cases, wondering if the legal application would be more of a nip and tuck operation on ecommerce or something more bloody and brutal. In 2022, we received our answer, and the bodies are dropping.

In January Austrian courts decided that companies can’t use Google Analytics to study their own site’s web traffic. The same conclusion was reached last week by French regulators. While Google doesn’t announce statistics about product usage, website tracker BuiltWith published that 29.3 million websites use Google Analytics, including 69.5 percent of Quantcast’s Top 10,000 sites, and that is more than ten times the next most popular option. So vast numbers of companies operating in Europe will need to change their platform analytics provider – if the Euro-crats will allow them to use site analytics at all.

But these decisions were not based on the functionality of Google Analytics, a tool that does not even capture personally identifiable information – no names, no home or office address, no phone numbers. Instead, these decisions that will harm thousands of businesses were a result of the Schrems II decision, finding fault in the transfer of this non-identifiable data to a company based in the United States. The problem here for European decision-makers is that US law enforcement may have access to this data if courts allow them. I have written before about this illogical conclusion and won’t restate the many arguments here, other than to say that EU law enforcement behaves the same way.

The effects of this decision will be felt far beyond the huge customer base of Google Analytics.  The logic of this decision effectively means that companies collecting data from EU citizens can no longer use US-based cloud services like Amazon Web Services, IBM, Google, Oracle or Microsoft. I would anticipate that huge cloud player Alibaba Cloud could suffer the same proscription if Europe’s privacy panjandrums decide that China’s privacy protection is as threatening as the US.

The Austrians held that all the sophisticated measures taken by Google to encrypt analytic data meant nothing, because if Google could decrypt it, so could the US government. By this logic, no US cloud provider – the world’s primary business data support network – could “safely” hold EU data. Which means that the Euro-crats are preparing to fine any EU company that uses a US cloud provider. Max Schrems saw this decision in stark terms, stating, “The bottom line is: Companies can’t use US cloud services in Europe anymore.”

This decision will ultimately support the Euro-crats’ goal of data localization as companies try to organize local storage/processing solutions to avoid fines. Readers of this blog have seen coverage of the EU’s tilt toward data localization (for example, here and here) and away from the open internet that European politicians once held as the ideal. The Euro-crats are taking serious steps toward forcing localized data processing and cutting US businesses out of the ecommerce business ecosystem. The Google Analytics decision is likely to be seen as a tipping point in years to come.

In a second major practical online privacy decision, earlier this month the Belgian Data Protection Authority ruled that the Interactive Advertising Bureau Europe’s Transparency and Consent Framework (TCF), a widely-used technical standard built for publishers, advertisers, and technology vendors to obtain user consent for data processing, does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own expensive technical solutions, and creating a consistent experience for consumers. Now the TCF is considered per-se illegal under EU privacy rules, casting thousands of businesses to search for or design their own alternatives, and removing online choices for European residents.

The Belgian privacy authority reached this conclusion by holding that the Interactive Advertising Bureau was a “controller” of all the data managed under its proposed framework. As stated by the Center for Data Innovation, this decision implies “that any good-faith effort to implement a common data protection protocol by an umbrella organization that wants to uphold GDPR makes said organization liable for the data processing that takes place under this protocol.” No industry group will want to put itself in this position, leaving businesses to their own devices and making ecommerce data collection much less consistent and much more expensive – even if that data collection is necessary to fulfill the requests of consumers.

For years companies thought that informed consumer consent would be a way to personalize messaging and keep consumer costs low online, but the EU has thrown all online consent regimes into question. EU regulators have effectively decided that people can’t make their own decisions about allowing data to be collected. If TCF – the consent system used by 80% of the European internet and a system designed specifically to meet the demands of the GDPR – is now illegal, then, for a second time in a month, all online consumer commerce is thrown into confusion. Thousands were operating websites with TCF and Google Analytics, believing they were following the letter of the law.  That confidence has been smashed.

We are finally seeing the practical effects of the GDPR beyond its simple utility for fining US tech companies.  Those effects are leading to a closed-border internet around Europe and a costlier, less customizable internet for EU citizens. The EU is clearly harming businesses around the world and making its internet a more cramped place. I have trouble seeing the logic and benefit of these decisions, but the GDPR was written to shake the system, and privacy benefits may emerge.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles about international privacy, visit the NLR Cybersecurity, Media & FCC section.

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.
 
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

FBI and DHS Warn of Russian Cyberattacks Against Critical Infrastructure

U.S. officials this week warned government agencies, cybersecurity personnel, and operators of critical infrastructure that Russia might launch cyber-attacks against Ukrainian and U.S. networks at the same time it launches its military offensive against Ukraine.

The FBI and the Department of Homeland Security (DHS) warned law enforcement, military personnel, and operators of critical infrastructure to be vigilant in searching for Russian activity on their networks and to report any suspicious activity, as they are seeing an increase in Russian scanning of U.S. networks. U.S. officials are also seeing increased disinformation and misinformation generated by Russia about Ukraine.

The FBI and DHS urged timely patching of systems and reporting of any Russian activity on networks, so U.S. officials can assess the threat, assist with a response, and prevent further activity.

For more information on cyber incident reporting, click here.

Even though a war may be starting halfway across the world, Russia’s cyber capabilities are global. Russia has the capability to bring us all into its war by attacking U.S. government agencies and companies. We are all an important part of preventing attacks and assisting others from becoming a victim of Russia’s attacks. Closely watch your network for any suspicious activity and report it, no matter how small you think it is.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review. 

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Texas AG Sues Meta Over Collection and Use of Biometric Data

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

The suit focuses on Meta’s “tag suggestions” feature, which the company has since retired. The feature scanned faces in users’ photos and videos to suggest “tagging” (i.e., identify by name) users who appeared in the photos and videos. In the complaint, Attorney General Ken Paxton alleged that Meta,  collected and analyzed individuals’ facial geometry data (which constitutes biometric data under CUBI) without their consent, shared the data with third parties, and failed to destroy the data in a timely matter, all in violation of CUBI and the DTPA. CUBI regulates the collection and use of biometric data for commercial purposes, and the DTPA prohibits false, misleading, or deceptive acts or practices in the conduct of any trade or commerce.

Among other forms of relief, the complaint seeks an injunction enjoining Meta from violating these laws, a $25,000 civil penalty for each violation of CUBI, and a $10,000 civil penalty for each violation of the DTPA. The suit follows Facebook’s $650 million class-action settlement over alleged violations of Illinois’ Biometric Privacy Act and the company’s discontinuance of the tag suggestions feature last year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity Practice Group

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.