Category: Technology

As the California Attorney General Focuses on Loyalty Programs, What Do Companies Need to Remember?

The California attorney general (AG) celebrated data privacy day by doing an “investigative sweep” of the loyalty programs of retailers, supermarkets, home improvement stores, travel companies, and food service companies, and sending out notices of non-compliance to businesses that the AG’s office believes might not be fully compliant with the CCPA. As the AG focuses its attention on loyalty programs, the following provides a reminder of the requirements under the CCPA.

What is a loyalty program?

Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers; others track products purchased. Some programs are free to participate in; others require consumers to purchase membership. Some programs offer consumers additional products; other programs offer prizes, money, or products from third parties. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program,” as a practical matter most, if not all, loyalty programs have two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.[1]

What are the general obligations under the CCPA?

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Right Applicability to Loyalty Program
Notice at collection A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.[2]
Privacy notice A loyalty program that collects personal information of its members should make a privacy notice available to its members.[3]
Access to information A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.[5]
Deletion of information A member of a loyalty program may request that a business delete the personal information collected about them. That said, a company may be able to deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.
Opt-out of sale A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner) it would not be considered a “sale” of information.
Notice of financial incentive To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA (discussed below), a business should provide a “notice of financial incentive.”[4]

Are loyalty programs always financial incentive programs?

Whether a loyalty program constitutes a “financial incentive” program as that term is defined by the regulations implementing the CCPA depends on the extent to which the loyalty program’s benefits “relate to” the collection, retention, or sale of personal information.”[6] While the California Attorney General has implied that all loyalty programs “however defined, should receive the same treatment as other financial incentives,” a strong argument may exist that for many loyalty programs the benefits provided are directly related to consumer purchasing patterns (i.e., repeat or volume purchases) and are not “related” to the collection of personal information.[7] If a particular loyalty program qualifies as a financial incentive program, a business should consider the following steps (in addition to the compliance obligations identified above):

  • Notify the consumer of the financial incentive.[8] The regulations implementing the CCPA specify that the financial incentive notice should contain the following information:
    • A summary of the financial incentive offered.[11] In the context of a loyalty program a description of the benefits that the consumer will receive as part of the program would likely provide a sufficient summary of the financial incentive.
    • A description of the material terms of the financial incentive. [12] The regulation specifies that the description should include the categories of personal information that are implicated by the financial incentive program and the “value of the consumer’s data.”[13]
    • How the consumer can opt-in to the financial incentive.[14] Information about how a consumer can opt-in (or join) a financial incentive program is typically conveyed when a consumer reviews an application to join or sign-up with the program.
    • How the consumer can opt-out, or withdraw, from the program. [15] This is an explanation as to how the consumer can invoke their right to withdraw from the program.[16]
    • An explanation of how the financial incentive is “reasonably related” to the value of the consumer’s data.[17] While the regulations state that a notice of financial incentive should provide an explanation as to how the financial incentive “reasonably relates” to the value of the consumer’s data, the CCPA requires only that a reasonable relationship exists if a business intends to discriminate against a consumer “because the consumer exercised any of the consumer’s rights” under the Act.[18] Where a business does not intend to use its loyalty program to discriminate against consumers that exercise CCPA-conferred privacy rights, it’s not clear whether this requirement applies. In the event that a reasonable relationship must be shown, however, the regulations require that a company provide a “good-faith estimate of the value of the consumer’s data that forms the basis” for the financial incentive and that the business provide a “description of the method” used to calculate that value.[19]
  • Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive,[9] and
  • Permit the consumer to revoke their consent “at any time.”[10]

FOOTNOTES

[1] FSOR Appendix A at 273 (Response 814) (including recognition from the AG that “loyalty programs” are not defined under the CCPA, and declining invitations to provide a definition through regulation).

[2] Cal. Civ. Code § 1798.100(a) (West 2021); Cal. Code Regs. tit. 11, 999.304(b), 305(a)(1) (2021).

[3] Cal. Code Regs. tit. 11, 999.304(a) (2021).

[5] Cal. Civ. Code § 1798.100(a).

[4] CAL. CODE REGS. tit. 11, 999.301(n); 304(d); 307(a), (b).

[6] CAL. CODE REGS. tit. 11, 999.301(j) (2021).

[7] FSOR Appendix A at 75 (Response 254).

[8] Cal. Civ. Code § 1798.125(b)(2) (West 2021).

[11] CAL. CODE REGS. tit. 11, 999.307(b)(1) (2021).

[12] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[13] CAL. CODE REGS. tit. 11, 999.307(b)(2) (2021).

[14] CAL. CODE REGS. tit. 11, 999.307(b)(3) (2021).

[15] CAL. CODE REGS. tit. 11, 999.307(b)(4) (2021).

[16] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[17] CAL. CODE REGS. tit. 11, 999.307(b)(5) (2021).

[18] Cal. Civ. Code § 1798.125(a)(1), (2) (West 2021).

[19] CAL. CODE REGS. tit. 11, 999.307(b)(5)(a), (b) (2021).

[9] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

[10] Cal. Civ. Code § 1798.125(b)(3) (West 2021).

©2022 Greenberg Traurig, LLP. All rights reserved.
For more articles about data privacy, visit the NLR Cybersecurity, Media & FCC section.

Electrification of the Fleet is on the Horizon, Preparing Now is Key

While we often hear how EVs will revolutionize the lives of the average consumer, commercial fleet owners are starting to take note of the impact these new powertrain systems will have on their own business and operations. As OEMs find creative ways to increase aerodynamics, extend battery range, and increase charging speeds, the zero emission and lower long-term cost of EVs compared to ICE (internal combustion engine) vehicles makes a compelling argument for adoption, at least on paper. What really matters is how those factors play out as the rubber hits the road, which OEMs are starting to see play out in real time. Over the past few years, there has been an explosion of commercial fleet platforms from existing and new entrants in the commercial vehicle space. From light to heavy trucking to fleet platform automobiles, EV technology is looking to capture every corner of the commercial fleet sector. Coupled with a slow reduction in the number of ICE vehicles produced in future years, the market may start pushing fleet operations towards EVs, whether they like it or not.

According to the Department of Transportation, over eight million vehicles made up commercial fleets in the US in 2020, which includes a mix of trucks and automobiles used in commercial and government operations. Even more make up commercial vehicles on the road that are not considered part of a fleet. As consumer demand drives most traditional OEMs toward EV dominated fleets, commercial fleet owners and operators need to start to prepare now for the same shift in their vehicle suppliers, or risk playing catchup once the market does turn from ICE to EV. This isn’t to say that failure to be an early adopter will be the death-knell to commercial fleet businesses; it likely won’t be. What businesses with commercial fleets should consider is their own business needs and their timeline for their own fleet replacement as EV technology and infrastructure support continues to evolve. Establishing a process and plan for upgrading existing fleets, training personnel, upgrading infrastructure, and understanding available programs for conversion will be key.

The switch from an ICE to EV fleet isn’t as simple as flipping a switch or plugging in a car – EVs bring a new powertrain and new sources of information. EVs in their current state are expensive, new vehicle supply is constantly in question, current operators are unaware of the nuances involved with operating an EV, and the infrastructure necessary to support a commercial fleet of EVs isn’t universally robust. For the average fleet operator, there also is a need to focus on route optimization, installing and maintaining new hardware capable to supporting charging on-site, revamping their maintenance and care procedures, and working with their local energy providers to understand how power demands in their local market may impact their own energy costs and needs. Additionally, although data analytics has improved existing fleet operations over the past few years, expect to see more nuanced data availability to the benefit of fleet operators.  As commercial and consumer EVs come out with ever more connectivity to the web and each other, coupled with the ability for “smart cities” to increase data available to drivers and vehicles, expect future fleet operators to get even more granular and predictive understanding of traffic patterns to optimize commercial routes. Managing these dynamics and capitalizing on new sources of information will better enable operators to adapt to the changing landscape. The ability to adapt to this new frontier will be a key trait for successful fleet operations in the Auto-2.0 operated environment.

Article By Christopher R. Boll of Foley & Lardner LLP

For more infrastructure and transportation legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

SEC Rejects Listing of Two Bitcoin ETFs

The SEC rejected two proposals to list and trade shares in two Bitcoin exchange-traded funds (“ETFs”).

The SEC rejected a proposal from NYSE Arca, Inc. (“Arca”) to list and trade shares of the Valkyrie Bitcoin Fund. The SEC also rejected a proposal from CBOE BZX Exchange, Inc. (“BZX”) to list and trade shares of the Kryptoin Bitcoin ETF Trust.

The SEC assessed whether the exchanges (i) had a comprehensive surveillance-sharing agreement with a significant, regulated market, and (ii) could effectively prevent fraudulent and manipulative activity. In the rejected proposals, the SEC noted its concerns over the abilities of the exchanges to adequately meet the requirements under SEA Section 6(b)(5) (“Determination by Commission Requisite to Registration of Applicant as a National Securities Exchange”) in protecting investors and the public interest by preventing fraudulent and manipulative practices.

The SEC rejected Arca’s argument that (i) liquidity, (ii) price arbitrage, and (iii) frameworks to value assets would be sufficient to mitigate potential manipulation.

Similarly, the SEC rejected BZX’s proposal, concluding “that BZX has not established that it has a comprehensive surveillance-sharing agreement with a regulated market of significant size related to bitcoin,” and “that BZX has not established that other means to prevent fraudulent and manipulative acts and practices are sufficient to justify dispensing with the requisite surveillance-sharing agreement.”

As a result, the SEC found that both exchanges had failed to prove that they could meet their burdens under SEA Section 6(b)(5).

© Copyright 2021 Cadwalader, Wickersham & Taft LLP
For more articles on cryptocurrency exchanges, visit the NLR Financial Securities & Banking.

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

Article By Philip J. Bezanson, Brittney E. Justice, Claire E. Cahoon, and Seth D. DuCharme of Bracewell LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2021 Bracewell LLP

9th Cir. Upholds Antitrust Jury Verdict Against Chinese Telescope Company [PODCAST]

Court affirms evidentiary rulings on market definition and overcharges. Agrees evidence supported verdict for collusion and attempted monopolization.

The Ninth Circuit Court of Appeals this month upheld judgment in favor of Optronic Technologies, Inc., finding there was sufficient evidence that Chinese telescope manufacturer, Ningbo Sunny Electronic (“Sunny”), conspired with a competitor in the U.S. consumer telescope market to allocate customers, fix prices, and monopolize the telescope market in violation of federal antitrust laws (Optronic Technologies, Inc., v. Ningbo Sunny Electronic Co., Ltd., No. 20-15837, 9th Cir. 2021). Ninth Circuit Judge Ronald M. Gould wrote the opinion.

California-based Optronic, known commercially as Orion Telescopes & Binoculars, sued Sunny in November 2014. Orion alleged Sunny violated Sherman Act Sections 1 and 2 by conspiring to allocate customers in the telescope market and conspiring to fix prices or credit terms for Optronics in collusion with Suzhou Synta Optical Technology. Orion further alleged Sunny’s 2014 acquisition of independent manufacturer, Meade, violated Section 7 of the Clayton Act. Orion alleged that Sunny engaged in these anticompetitive acts to force Orion out and further monopolize the telescope market.

A California jury found in favor of Orion on all counts and awarded the company $16.8 million in damages, which the district court trebled to $50.4 million. The district court also ordered injunctive relief, directing Sunny to supply Orion and Synta’s Meade on non-discriminatory terms for five years, and not to communicate with Synta about competitively sensitive information.

Rulings on key elements of plaintiff’s economic evidence affirmed.

Sunny appealed on several grounds, including two that challenged key elements of the plaintiff’s expert economic evidence. The jury had found Sunny liable for attempted monopolization and conspiracy to monopolize in violation of Section 2, which makes it unlawful for any person to monopolize or attempt or conspire to monopolize any relevant market. Sunny argued on appeal that the evidence could not support a Section 2 verdict because Orion’s economist failed to define a relevant market. In particular, Sunny claimed the expert did not examine the cross-elasticity between substitute products in the market or perform a SSNIP test, the standard analysis used to delineate the outer boundaries of a relevant market.

The appeals court found these contentions lacked merit. The plaintiff’s economist had testified that the relevant product market was the market for telescope manufacturing services. The purpose of the SSNIP test is to determine whether the relevant market is drawn too narrowly and should be expanded to include potential substitutes. But because no other manufacturing capacity can substitute for telescope manufacturing services, wholesale purchasers of telescopes cannot turn to other manufacturers to fulfill orders. Without substitutable manufacturers, a SSNIP test boils down to whether new manufacturers would enter the market fast enough to make an increase in price unprofitable for a hypothetical monopolist, which they could not. As a result, the court held that the economist reasonably could forgo performing a SSNIP analysis.

Sunny also challenged the economist’s estimate of anticompetitive overcharges that could not directly be observed. Neither the “benchmark” nor “before-and-after” estimation methods were available. Therefore, to develop a measure of damages, the plaintiff’s expert presented two different methods of estimating the overcharges. In the first method, the expert collected data on cartel overcharges from the economic literature on markets with structures and conditions similar to telescope manufacturing. The average of those overcharges was then used as an estimate of the overcharge resulting from defendants’ collusion. As a check on this estimate, the economist also submitted a theoretical Cournot equilibrium model of market prices based on assumptions drawn from the record in the case. The two methods yielded similar and consistent results. Affirming the admissibility of the expert’s damages estimates, the appellate court found the expert’s report and testimony “were sufficiently tied to the facts of this case such that the district court properly admitted this evidence.”

In rebuttal, the defendant’s economist testified to the high sensitivity of the assumptions used in the plaintiff’s theoretical model. Interestingly, defendants were not permitted to submit their own estimate of damages for the first time on rebuttal, so the defendants’ expert had to limit her testimony to the sensitivity of the model without the ability to show the jury any resulting alternative estimate of the anticompetitive overcharge. The appeals court affirmed the trial court’s limitation on the defendants’ rebuttal expert.

Price fixing and a larger scheme.

Sunny also argued that Orion failed to present sufficient evidence to support Orion’s Section 1 claims. Section 1 prohibits unreasonable restraints of trade. Horizontal price fixing and market allocation are per se unreasonable and support Section 1 liability without regard to any purported justification or defense. The Ninth Circuit noted that Orion offered evidence that Synta executives encouraged Sunny’s purchase of Meade, an acquisition that was part of a larger scheme by Sunny and Synta to jointly control the telescope manufacturing market, even though federal regulators had already prohibited such a combination. The court also declined to upset the jury’s finding that Sunny conspired with a Synta subsidiary to fix prices and credit terms to Orion, a per se violation of Section 1.

“If you break it, you buy it.”

Finally, it is notable that the appellate court affirmed the award of damages accruing after September 2016, when the defendant and Synta took their last steps to eliminate Meade, and Synta entered a Settlement and Supply Agreement with Orion. The court held that, even if the conspiratorial acts of Sunny and Synta ended in 2016, Orion could still recover post-2016 damages “because it continued to suffer economic harm from the harm to competition caused by the illegal concerted activity.” Thus, where collusion causes a durable change in market structure or sets the pattern of a continuing collusive practice, it is no defense that the conspirators may have ceased engaging in concerted action.

The rule adopted by the Ninth Circuit in Optronics is clear: “[W]here an antitrust plaintiff suffers continuing antitrust injuries from anticompetitive changes to market structure that arose from a proven antitrust violation, we hold that the violation may be a material cause of that injury, and so recovery of damages is permitted, even after the last proven date of the violative conduct. This rule accords with the common-sense principle that ‘if you break it, you buy it.’”

Welcomed clarity.

The Ninth Circuit’s opinion brings welcomed clarity on several points. It demonstrated that plaintiffs need not perform a SSNIP test where market-specific circumstances define a market’s outer boundary. For claimants facing the need to estimate unobservable anticompetitive overcharges, it affirms an ingenious method for arriving at a reasonable and reliable estimate. And, for past conspiracies with continuing anticompetitive effects, the decision announces the common-sense principle that a defendant “remains liable for the continuing injuries suffered by plaintiffs from the structural harm to competition that its unlawful scheme brought about.” Put simply, this is a well-articulated decision by a capable panel that adds precision and certainty to antitrust.

Edited by Tom Hagy for MoginRubin LLP

© MoginRubin LLP

For more articles on 9th Circuit decisions, visit the NLR Litigation section.

Maryland Comptroller Adopts Digital Advertising Gross Revenues Tax Regulations

On December 3, 2021, the Maryland Comptroller published notice of its adoption of the digital advertising gross revenues tax regulations (which was originally proposed on October 8, 2021). Per the Maryland Administrative Procedure Act, the final adopted regulations will go into effect in 10 calendar days, or December 13, 2021. (See Md. Code Ann., State Gov’t § 10-117(a)(1).)

The final regulations were adopted almost entirely as proposed, with just two minor changes that the Attorney General (AG) of Maryland certified as non-substantive. Specifically, the changes to the October 8 proposed regulations concern the information that may be used to determine the location of a device and are described by the AG as follows:

  • Regulation .02(C): The Comptroller is clarifying language regarding the allowable sources of information a taxpayer may use to determine the location of a device. Specifically, this final action amendment changes “both technical information and the terms of the underlying contract” to “both technical information and nontechnical information included in the contract.”
    • Regulation .02(C)(2): The Comptroller is amending the non-exhaustive list of technical information to include “industry standard metrics.”

    Practice Note: While “industry-standard metrics” is a nice addition to the list of sources that may be used to determine the location of devices for sourcing purposes, significant and fundamental questions and concerns submitted as part of the comments were not addressed by the Comptroller in adopting the final digital ad tax regulations. The tax is subject to multiple lawsuits (both state and federal court) and pending a court order to the contrary is scheduled to take effect beginning January 1, 2022, with the first filing obligation for large taxpayers in April 2022. Taxpayers grappling with how to comply with this new tax are encouraged to contact the authors.

    © 2021 McDermott Will & Emery

    Article by Stephen P. Kranz, Eric Carstens, and Jonathan C. Hague with McDermott Will & Emery.

For more updates on tax regulations, visit the NLR Tax section.

In the Coming ‘Metaverse’, There May Be Excitement but There Certainly Will Be Legal Issues

The concept of the “metaverse” has garnered much press coverage of late, addressing such topics as the new appetite for metaverse investment opportunities, a recent virtual land boom, or just the promise of it all, where “crypto, gaming and capitalism collide.”  The term “metaverse,” which comes from Neal Stephenson’s 1992 science fiction novel “Snow Crash,” is generally used to refer to the development of virtual reality (VR) and augmented reality (AR) technologies, featuring a mashup of massive multiplayer gaming, virtual worlds, virtual workspaces, and remote education to create a decentralized wonderland and collaborative space. The grand concept is that the metaverse will be the next iteration of the mobile internet and a major part of both digital and real life.

Don’t feel like going out tonight in the real world? Why not stay “in” and catch a show or meet people/avatars/smart bots in the metaverse?

As currently conceived, the metaverse, “Web 3.0,” would feature a synchronous environment giving users a seamless experience across different realms, even if such discrete areas of the virtual world are operated by different developers. It would boast its own economy where users and their avatars interact socially and use digital assets based in both virtual and actual reality, a place where commerce would presumably be heavily based in decentralized finance, DeFi. No single company or platform would operate the metaverse, but rather, it would be administered by many entities in a decentralized manner (presumably on some open source metaverse OS) and work across multiple computing platforms. At the outset, the metaverse would look like a virtual world featuring enhanced experiences interfaced via VR headsets, mobile devices, gaming consoles and haptic gear that makes you “feel” virtual things. Later, the contours of the metaverse would be shaped by user preferences, monetary opportunities and incremental innovations by developers building on what came before.

In short, the vision is that multiple companies, developers and creators will come together to create one metaverse (as opposed to proprietary, closed platforms) and have it evolve into an embodied mobile internet, one that is open and interoperable and would include many facets of life (i.e., work, social interactions, entertainment) in one hybrid space.

In order for the metaverse to become a reality, that is, successfully link current gaming and communications platforms with other new technologies into a massive new online destination – many obstacles will have to be overcome, even beyond the hardware, software and integration issues. The legal issues stand out, front and center. Indeed, the concept of the metaverse presents a law school final exam’s worth of legal questions to sort out.  Meanwhile, we are still trying to resolve the myriad of legal issues presented by “Web 2.0,” the Internet we know it today. Adding the metaverse to the picture will certainly make things even more complicated.

At the heart of it is the question of what legal underpinnings we need for the metaverse infrastructure – an infrastructure that will allow disparate developers and studios, e-commerce marketplaces, platforms and service providers to all coexist within one virtual world.  To make it even more interesting, it is envisioned to be an interoperable, seamless experience for shoppers, gamers, social media users or just curious internet-goers armed with wallets full of crypto to spend and virtual assets to flaunt.  Currently, we have some well-established web platforms that are closed digital communities and some emerging ones that are open, each with varying business models that will have to be adapted, in some way, to the metaverse. Simply put, the greater the immersive experience and features and interactions, the more complex the related legal issues will be.

Contemplating the metaverse, these are just a few of the legal issues that come to mind:

  • Personal Data, Privacy and Cybersecurity – Privacy and data security lawyers are already challenged with addressing the global concerns presented by varying international approaches to privacy and growing threats to data security. If the metaverse fulfills the hype and develops into a 3D web-based hub for our day-to-day lives, the volume of data that will be collected will be exponentially greater than the reams of data already collected, and the threats to that data will expand as well. Questions to consider will include:
    • Data and privacy – What’s collected? How sensitive is it? Who owns or controls it? The sharing of data will be the cornerstone of a seamless, interoperable environment where users and their digital personas and assets will be usable and tradeable across the different arenas of the metaverse.  How will the collection, sharing and use of such data be regulated?  What laws will govern the collection of data across the metaverse? The laws of a particular state?  Applicable federal privacy laws? The GDPR or other international regulations? Will there be a single overarching “privacy policy” governing the metaverse under a user and merchant agreement, or will there be varying policies depending on which realm of the metaverse you are in? Could some developers create a more “privacy-focused” experience or would the personal data of avatars necessarily flow freely in every realm? How will children’s privacy be handled and will there be “roped off,” adults-only spaces that require further authentication to enter? Will the concepts that we talk about today – “personal information” or “personally identifiable information” – carry over to a world where the scope of available information expands exponentially as activities are tracked across the metaverse?
    • Cybersecurity: How will cybersecurity be managed in the metaverse? What requirements will apply with respect to keeping data secure? How will regulation or site policies evolve to address deep fakes, avatar impersonation, trolling, stolen biometric data, digital wallet hacks and all of the other cyberthreats that we already face today and are likely to be exacerbated in the metaverse? What laws will apply and how will the various players collaborate in addressing this issue?
  • Technology Infrastructure: The metaverse will be a robust computing-intensive experience, highlighting the importance of strong contractual agreements concerning cloud computing, IoT, web hosting, and APIs, as well as software licenses and hardware agreements, and technology service agreements with developers, providers and platform operators involved in the metaverse stack. Performance commitments and service levels will take on heightened importance in light of the real-time interactions that users will expect. What is a meaningful remedy for a service level failure when the metaverse (or a part of the metaverse) freezes? A credit or other traditional remedy?  Lawyers and technologists will have to think creatively to find appropriate and practical approaches to this issue.  And while SaaS and other “as a service” arrangements will grow in importance, perhaps the entire process will spawn MaaS, or “Metaverse as a Service.”
  • Open Source – Open source, already ubiquitous, promises to play a huge role in metaverse development by allowing developers to improve on what has come before. Whether or not the obligations of common open source licenses will be triggered will depend on the technical details of implementation. It is also possible that new open source licenses will be created to contemplate development for the metaverse.
  • Quantum Computing – Quantum computing has dramatically increased the capabilities of computers and is likely to continue to do over the coming years. It will certainly be one of the technologies deployed to provide the computing speed to allow the metaverse to function. However, with the awesome power of quantum computing comes threats to certain legacy protections we use today. Passwords and traditional security protocols may be meaningless (requiring the development of post-quantum cryptography that is secure against both quantum and traditional computers). With raw, unchecked quantum computing power, the metaverse may be subject to manipulation and misuse. Regulation of quantum computing, as applied to the metaverse and elsewhere, may be needed.
  • Antitrust: Collaboration is a key to the success of the metaverse, as it is, by definition, a multi-tenant environment. Of course collaboration amongst competitors may invoke antitrust concerns. Also, to the extent that larger technology companies may be perceived as leveraging their position to assert unfair control in any virtual world, there may be additional concerns.
  • Intellectual Property Issues: A host of IP issues will certainly arise, including infringement, licensing (and breaches thereof), IP protection and anti-piracy efforts, patent issues, joint ownership concerns, safe harbors, potential formation of patent cross-licensing organizations (which also may invoke antitrust concerns), trademark and advertising issues, and entertaining new brand licensing opportunities. The scope of content and technology licenses will have to be delicately negotiated with forethought to the potential breadth of the metaverse (e.g., it’s easy to limit a licensee’s rights based on territory, for example, but what about for a virtual world with no borders or some borders that haven’t been drawn yet?). Rightsholders must also determine their particular tolerance level for unauthorized digital goods or creations. One can envision a need for a DMCA-like safe harbor and takedown process for the metaverse. Also, akin to the litigation that sprouted from the use of athletes’ or celebrities’ likenesses (and their tattoos) in videogames, it’s likely that IP issues and rights of publicity disputes will go way up as people’s virtual avatars take on commercial value in ways that their real human selves never did.
  • Content Moderation. Section 230 of the Communications Decency Act (CDA) has been the target of bipartisan criticism for several years now, yet it remains in effect despite its application in some distasteful ways. How will the CDA be applied to the metaverse, where the exchange of third party content is likely to be even more robust than what we see today on social media?  How will “bad actors” be treated, and what does an account termination look like in the metaverse? Much like the legal issues surrounding offensive content present on today’s social media platforms, and barring a change in the law, the same kinds of issues surrounding user-generated content will persist and the same defenses under Section 230 of the Communications Decency Act will be raised.
  • Blockchain, DAOs, Smart Contract and Digital Assets: Since the metaverse is planned as a single forum with disparate operators and users, the use of a blockchain (or blockchains) would seem to be one solution to act as a trusted, immutable ledger of virtual goods, in-world currencies and identity authentication, particularly when interactions may be somewhat anonymous or between individuals who may or may not trust each other and in the absence of a centralized clearinghouse or administrator for transactions. The use of smart contracts may be pervasive in the metaverse.  Investors or developers may also decide that DAOs (decentralized autonomous organizations) can be useful to crowdsource and fund opportunities within that environment as well.  Overall, a decentralized metaverse with its own discrete economy would feature the creation, sale and holding of sovereign digital assets (and their free use, display and exchange using blockchain-based payment networks within the metaverse). This would presumably give NFTs a role beyond mere digital collectibles and investment opportunities as well as a role for other forms of digital currency (e.g., cryptocurrency, utility tokens, stablecoins, e-money, virtual “in game” money as found in some videogames, or a system of micropayments for virtual goods, services or experiences).  How else will our avatars be able to build a new virtual wardrobe for what is to come?

With this shift to blockchain-based economic structures comes the potential regulatory issues behind digital currencies. How will securities laws view digital assets that retain and form value in the metaverse?  Also, as in life today, visitors to the metaverse must be wary of digital currency schemes and meme coin scams, with regulators not too far behind policing the fraudsters and unlawful actors that will seek opportunities in the metaverse. While regulators and lawmakers are struggling to keep up with the current crop of issues, and despite any progress they may make in that regard, many open issues will remain and new issues will be of concern as digital tokens and currency (and the contracts underlying them) take on new relevance in a virtual world.

Big ideas are always exciting. Watching the metaverse come together is no different, particularly as it all is happening alongside additional innovations surrounding the web, blockchain and cryptocurrency (and, more than likely, updated laws and regulations). However, it’s still early. And we’ll have to see if the current vision of the metaverse will translate into long-term, concrete commercial and civic-minded opportunities for businesses, service providers, developers and individual artists and creators.  Ultimately, these parties will need to sort through many legal issues, both novel and commonplace, before creating and participating in a new virtual world concept that goes beyond the massive multi-user videogame platforms and virtual worlds we have today.

Article By Jeffrey D. Neuburger of Proskauer Rose LLP. Co-authored by  Jonathan Mollod.

For more legal news regarding data privacy and cybersecurity, click here to visit the National Law Review.

© 2021 Proskauer Rose LLP.

Privacy Tip #309 – Women Poised to Fill Gap of Cybersecurity Talent

I have been advocating for gender equality in Cybersecurity for years [related podcast and post].

The statistics on the participation of women in the field of cybersecurity continue to be bleak, despite significant outreach efforts, including “Girls Who Code” and programs to encourage girls to explore STEM (Science, Technology, Engineering and Mathematics) subjects.

Women are just now rising to positions from which they can help other women break into the field, land high-paying jobs, and combat the dearth of talent in technology. Judy Dinn, the new Chief Information Officer of TD Bank NA, is doing just that. One of her priorities is to encourage women to pursue tech careers. She recently told the Wall Street Journal that she “really, really always wants to make sure that female representation—whether they’re in grade school, high school, universities—that that funnel is always full.”

The Wall Street Journal article states that a study by AnitaB.org found that “women made up about 29% of the U.S. tech workforce in 2020.”  It is well known that companies are fighting for tech and cybersecurity talent and that there are many more open positions than talent to fill them. The tech and cybersecurity fields are growing with unlimited possibilities.

This is where women should step in. With increased support, and prioritized recruiting efforts that encourage women to enter fields focused on technology, we can tap more talent and begin to fill the gap of cybersecurity talent in the U.S.

Article By Linn F. Freedman of Robinson & Cole LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2021 Robinson & Cole LLP. All rights reserved.

Federal Regulators Issue New Cyber Incident Reporting Rule for Banks

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

The final rule requires a banking organization to notify its primary federal regulator “as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.” The rule defines a “notification incident” as a “computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s—

  1. Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
  2. Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
  3. Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”

Under the rule, a “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.”

Separately, the rule requires a bank service provider to notify each affected banking organization “as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.” For purposes of the rule, a bank service provider is one that performs “covered services” (i.e., services subject to the Bank Service Company Act (12 U.S.C. 1861–1867)).

In response to comments received on the agencies’ December 2020 proposed rule, the new rule reflects changes to key definitions and notification provisions applicable to both banks and bank service providers. These changes include, among others, narrowing the definition of a “computer security incident,” replacing the “good faith belief” notification standard for banks with a determination standard, and adding a definition of “covered services” to the bank service provider provisions. With these revisions, the agencies intend to resolve some of the ambiguities in the proposed rule and address commenters’ concerns that the rule would create an undue regulatory burden.

The final rule becomes effective April 1, 2022, and compliance is required by May 1, 2022. The regulators hope this new rule will “help promote early awareness of emerging threats to banking organizations and the broader financial system,” as well as “help the agencies react to these threats before they become systemic.”

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.
For more articles on banking regulations, visit the NLR Financial Securities & Banking section.

What the Top 200 US Law Firms Do Right: Trends in Thought Leadership & Social Media Strategy

Writing thought leadership content is an important part of many law firms’ marketing strategiesThought leadership content allows attorneys to share their expertise, connect with current and future clients and create a brand for themselves. However, articles and blog posts are not the only way attorneys can share their thought leadership. Video, podcasts and social media posts are additional avenues for attorneys to pursue.

According to the 2021 Thought Leadership Index from Passle, a professional services marketing platform dedicated to legal and consultancy firms, law firms created 60 percent more content in 2020 than the year before. Passle’s report analyzed thought leadership and social media activity from the top 200 US law firms in 2020, finding that these firms created over 70,000 pieces of content last year, with many firms shifting their focus to YouTube.

The report found that by volume alone, Baker McKenzie produced the most thought leadership content in 2020 with 4,164 posts, or .88 per attorney. Squire Patton Boggs followed at 2,794 posts, or 1.82 per attorney.

When it comes to social media, Baker McKenzie came out on top again with 310,000 followers on LinkedIn, while personal injury practice Morgan & Morgan came out on top with YouTube video views of over 8 million. The firms with the most followers on Twitter included White & Case with 64,000 followers, DLA Piper with 41,000 and Latham & Watkins with 37,000.

The National Law Review sat down with James Barclay, CEO of Passle Inc., and Sam Page, Marketing Director for Passle to discuss the trends from the report, and how law firms and their attorneys can apply these insights to their own thought leadership and social media efforts.

How Can Law Firms Create More Thought Leadership Content?

At first, producing regular thought leadership content may seem like an intimidating task. Firms must develop a strategy for content production, and perhaps more importantly, find time for attorneys to produce that content. However, with the right knowledge and careful planning, the process becomes less daunting. In a profession with ever-growing workloads and ever-shrinking turnaround times, how can a law firm enable attorneys to produce effective thought leadership?

To streamline the thought leadership creation process, it is critical to understand what kind of content creates the most value for a law firm. The term “thought leadership” may call to mind significant investments of time – white papers and lengthy reports, which show a depth of knowledge and are great for SEO  – but this is not necessarily the case. According to Passle, effective thought leadership can also range from 100 to 300 words.

“The audience for a lawyer, as a general counsel, is other lawyers inside large businesses,” Mr. Page said. “Those people are really busy themselves. They don’t have a lot of time. They won’t read multi-page reports with 50,000 words. So the effective content that you see a lot of people creating is short.”

“It has to come from the lawyers,” Mr. Barclay added. “They’ve got thousands of hours of experience. That means that when they talk about a subject, they get right to the nub of it. And it’s usually that the more niche it is, the better, because that’s what their clients pay them by the minute for.”

Ensuring attorneys have a stake in the content they create is a vital aspect of thought leadership. “If you can make it quick and easy for lawyers to create authentic, timely, expert-led content, then those lawyers will find their voice and they’ll use their voice, and they enjoy it,” said Mr. Barclay.

The simplest way to accomplish this is to build around the firm’s pre-existing goals and items. Many attorneys in the United States and the United Kingdom use thought leadership as a tool for appraisals, as it allows them to demonstrate to clients their areas of special expertise. Further, thought leadership can also be a mechanism for promotion. Mr. Barclay explained:

“If you’re running an event, do a video and say, ‘Come to our event.’ It takes two minutes and it’s authentic because it’s your attorney who’s speaking,” he said.

Law firms may also choose to develop governance and approval processes for the thought leadership is published. Many attorneys suffer from impostor syndrome, which sometimes cripples their ability to produce timely content. Official protocols and workflows not only maintain a high quality of work, they also allow lawyers to develop their voice in a streamlined environment.

Ultimately, the metric for success is much lower than one might expect. According to Passle’s report, in 2020, the average law firm produced 800 total pieces of thought leadership content. This amounts to only 0.8 pieces of content per attorney. Though generating content on a regular basis might seem a herculean task, these statistics show that an effective thought leadership plan is relatively low-commitment. In practice, if every attorney at a firm produced one thought leadership insight a month, that law firm would already be well ahead of their  competitors.

How to Create a Successful Law Firm Social Media Strategy

Another important aspect of thought leadership content creation is social media. Having a presence on platforms such as LinkedIn, Twitter and YouTube allows law firms and their attorneys to have a platform to showcase their expertise and connect with current and future clients. When it comes to thought leadership content, empowering attorneys to have a voice on social media can make a huge difference.

“It’s very difficult to tell a late 40s lawyer, ‘Go on Twitter. Get on Twitter or get on LinkedIn. You must do it.’ But if you say, ‘Hey, create something that’s going to be really interesting to Bob, Jennifer, Eileen, and your other key clients. Generate a piece of content, and then of course, make sure you share it with them and the best place to share it with them is LinkedIn. Then … that all makes sense,” Mr. Barclay said.

Attorneys and law firms can also think of social media as another asset the whole team can leverage. For lawyers in a certain niche, social media can be a powerful tool to bring in new clients and connect with existing ones.

“Attorneys don’t want to sell, they’re not salespeople. They want to talk about what they know. And then of course, what they know is really, really, really valuable to the people who they’re trying to influence,” Mr. Barclay said. “And that’s what’s neat about attorneys is that they’re not going online trying to sell something. They’re going online talking about their tiny little niche, and that’s exactly what their audience wants.”

One of the key things Mr. Barclay and Mr. Page said the top performing law firms do on social media is create an authentic image. For lawyers and law firms wanting to stand out in a crowd of others online, including a bit of personality into posts can go a long way. Lawyers can appear more authentic if they keep in mind who their clients are and what they need when creating their thought leadership content.

“It’s got to be authentic, it’s got to be timely and it’s got to showcase some of you. Again, folk don’t tend to employ a law firm, they don’t talk about their law firm, they talk about their lawyer. It’s a very personal one-to-one relationship,” Mr. Barclay said.

When it comes down to it, lawyers often need a reason to use social media, Mr. Page said. What often motivates lawyers to use social media is the ability to create content and have a voice. As the Passle report shows, the most successful law firms have both a strong social media presence and a solid content strategy.

“When lawyers have a voice, when they are able to create content, they have a reason to use social media. So if they are told to be on social and they just hover there without a purpose, it’s difficult to see a reason to do it, [and] it’s difficult to find any sort of outcome,” he said.

What Makes a Strong Law Firm Content Strategy?

In the new era of virtual engagement, it is vital that firms take steps to control their online presence. Mr. Barclay explains how focused, regularly published thought leadership articles are central to a firm’s success.

“Most attorneys we talked to don’t have hundreds of clients. 80 percent of their billable hours in any one year comes from 15, 20, 30 clients,” Mr. Barclay said. “If [you] can give them a great piece of authentic online content, then of course that’s a fabulous vehicle for recommendation referral, which is where new business comes from.”

By understanding these trends and taking control of their online presence, attorneys can easily communicate their expertise, maximize their referrals and increase their revenue. The most successful firms understand that small investment of 30 minutes to one hour can reap tremendous benefits. Oftentimes, the best way to facilitate these investments is through a group effort. The most successful law firms also empower not just the partners of the firm to create thought leadership, but associates and law clerks as well.

“The essence of those firms that reach the top of that list, is that they enable a wide range of their fee earners to create content,” Mr. Page said. “They’re not just relying on the select few partners that tend to come from a similar background, [and] have a similar way of thinking and a similar view of the world. The firms that succeed are generally the firms that enable their associates, or even their trainees, to create content and to have a voice within the firm.”

This article was written by Rachel Popa and Chandler Ford of the National Law Review.