Category: Technology

Biden Administration Expands Public-Private Cybersecurity Partnership to Chemical Sector

On October 26, 2022, the Biden Administration announced that it is expanding the Industrial Control Systems (ICS) Cybersecurity Initiative to the chemical sector. The White House’s fact sheet states that the majority of chemical companies are privately owned, so a collaborative approach is needed between the private sector and government. According to the fact sheet, “[t]he nation’s leading chemical companies and the government’s lead agency for the chemical sector — the Cybersecurity and Infrastructure Agency (CISA) — have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems.”

The fact sheet states that the Chemical Action Plan will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs for this sector. The Chemical Action Plan will:

  • Focus on high-risk chemical facilities that present significant chemical release hazards with the ultimate goal of supporting enhanced ICS cybersecurity across the entire chemical sector;
  • Drive information sharing and analytical coordination between the federal government and the chemical sector;
  • Foster collaboration with the sector owners and operators to facilitate and encourage the deployment of appropriate technologies based on each chemical facility’s own risk assessment and cybersecurity posture. The federal government will not select, endorse, or recommend any specific technology or provider; and
  • Support the continuity of chemical production critical to the national and economic security of the United States. The chemical sector produces and manufactures chemicals that are used directly or as building blocks in the everyday lives of Americans, from fertilizers and disinfectants to personal care products and energy sources, among others.

The ICS Cybersecurity Initiative emphasizes that cybersecurity continues to be a top priority for the Administration.

For more Cybersecurity Legal News, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.

Buying, Selling, and Investing in Telehealth Companies: Navigating Structural and Compliance Issues

A multi-part series highlighting the unique health regulatory aspects of Telemedicine mergers and acquisitions, and financing transactions

Investors in the telehealth space and buyers and sellers of telehealth companies need to account for a set of health regulatory considerations that are unique to deals in this sector. As all parties to potential telehealth transactions analyze their long term role in the telehealth marketplace, two of the central issues to any transaction are compliance and structure – both in terms of structuring the telehealth transaction itself and due diligence issues that arise related to a target’s structure.

The COVID-19 pandemic, combined with strained health care staffing and provider availability, have accelerated the growth of the telehealth, and start-ups and traditional health systems alike are competing for access to patient populations in the telehealth space. However, as we adjust to life with COVID-19 as the norm, the expiration of the federal Public Health Emergency (PHE) looms, and the national economy contracts, we expect that the remainder of 2022 and into 2023 will see consolidation as the telehealth market begins to saturate and the long-term viability of certain platforms are tested. Telehealth companies, health systems, pharma companies and investors are all in potential positions to take advantage of this consolidation in a ripening M&A sector (while startups in the telehealth space continue to seek venture and institutional capital).

This is the first post in a series highlighting the unique health regulatory aspects of telehealth transactions. Future installments of this series are expected to cover licensure and regulatory approvals, compliance / clinical delivery models, and future market developments.

Telehealth Transaction Structure Considerations

The structure of any given telehealth transaction will largely depend on the business of the telehealth organization at play, but also will depend on the acquirer / investor. Regardless of whether a party is buying, selling or investing in a telehealth company, structuring the transaction appropriately will be important for all parties involved. While a standard stock purchase, asset purchase or merger may make sense for many of these transactions, we have also seen a proliferation of, affiliation arrangements, joint ventures (JV), alliances and partnerships.  These varieties of affiliation transactions can be a good choice for health systems that are not necessarily looking to manage or develop an existing platform, but instead are looking to leverage their patient populations and resources to partner with an existing technology platform. An affiliation or JV is more popular for telehealth companies operating purely as a technology platform (with no core business involving clinical services being provided). For parties in the traditional healthcare provider sector that provide clinical services, an affiliation or JV, which is easier to unwind or terminate than a traditional M&A transaction, can allow the parties to “test the waters” in a new, combined business venture. The affiliation or JV can take a variety of forms, including technology licensing agreements; the creation of a new entity to house the telehealth mission, which then has contractual arrangements with the both the JV parties; and exclusivity arrangements relating to use of the technology and access to patient populations.

While an affiliation or JV offers flexibility, can minimize the need for a large upfront investment, and can be an attractive alternative to a more permanent purchase or sale, there can be increased regulatory risk. Entrepreneurs, investors, and providers considering any such arrangement should bear in mind that in the wake of the COVID-19 pandemic and proliferation of telehealth, the Office of Inspector General of the Department of Health and Human Services (HHS-OIG) has expressed a heightened interest in investigating so called “telefraud” and recently issued a special fraud alert regarding suspect arrangements, discussed in this prior post. Further, the OIG’s guidance on contractual joint ventures that would run afoul of the federal Anti-Kickback Statute (AKS) should be front of mind and parties should strive to structure any affiliation or JV in a manner that meets or approximates an AKS safe harbor.

Target Telehealth Company Structure Compliance

Where telehealth companies are providing clinical services, and are not purely technology platforms, structuring and transaction diligence should focus on whether the target is operating in compliance with corporate practice of medicine (CPOM) laws. The CPOM doctrine is intended to maintain the independence of physician decision-making and reduce a “profits over people” mentality, and prevent physician employment by a lay-owned corporation unless an exception applies. Most states that have adopted CPOM impose similar restrictions on other types of clinical professionals, such as nurses, physical therapists, social workers, and psychologists. Telehealth companies often attempt to utilize a so-called “friendly PC” structure to comply with CPOM, whereby an investor-owned management services organization (“MSO”) affiliates with a physician-owned professional corporation (or other type of professional entity) (a “PC”) through a series of contractual agreements that foster a close working relationship between the MSO, PC, and PC owner and whereby the MSO provides management services, and sometimes start-up financing. The overall arrangement is intended to allow the MSO to handle the management side of the PC’s operations without impeding the professional judgment of the PC or the medical practice of its physicians and the PC owner.

CPOM Compliance Considerations and Diligence for Telehealth Companies

A sophisticated buyer will want to confirm that the target’s friendly PC structure is not only formally established, but is also operationalized properly and in a manner that minimizes fraud and abuse risk. If CPOM compliance gaps are identified in diligence this may, at worst, tank the deal and, at best, cause unexpected delays in the transaction timeline, as restructuring may be required or advisable. The buyer may also request additional deal concessions, such as a purchase price reduction and special indemnification coverage (with potentially a higher liability limit and an escrow as security). Accordingly, a telehealth company anticipating a sale or fund raise would be well served to engage in a self-audit to identify any CPOM compliance issues and undertake necessary corrective actions prior to the commencement of a transaction process.

Below are nine key questions with respect to CPOM compliance and related fraud and abuse issues that a buyer/investor in a telehealth transaction should examine carefully (and that the target should be prepared to answer):

  1. Does target have a PC that is properly incorporated or foreign qualified in all states where clinical services are provided (based on the location of the patient)?
  2. Does the PC owner (and any directors and officers of the PC, to the extent different from the PC owner) have a medical license in all states where the PC conducts business (to the extent in-state licensure is required)? To the extent the PC has multiple physician owners and directors/officers, are all such individuals licensed as required under applicable state law?
  3. Does the PC(s) have its own federal employer identification number, bank account (including double lockbox arrangement if enrolled in federal healthcare programs), and Medicare/Medicaid enrollments?
  4. Does the PC owner exercise meaningful oversight and control over the governance and clinical activities of the PC? Does the PC owner have background and expertise relevant to the business (e.g., a cardiologist would not have appropriate experience to be the PC owner of a PC that provides telemental health services)?
  5. Are the physicians and other professionals providing clinical services for the business employed or contracted through a PC (rather than the MSO)? Employment or independent contractor agreements should be reviewed, as well as W-2s, and payroll accounts.
  6. Is the PC properly contracted with customers (to the extent services are provided on a B2B basis) and payors?
  7. Do the contractual agreements between the MSO and PC respect the independent clinical judgment of the PC owner and PC physicians and otherwise comply with state CPOM laws.
  8. Do the financial arrangements between the MSO, PC, and PC owner comply with AKS, the federal Stark Law, and corollary state laws and fee-splitting prohibitions, to the extent applicable?
  9. Is the PC owner or any other physician performing clinical services for the PC an equity holder in the MSO? If so, are these equity interests tied to volume/value of referrals to the PC or MSO (i.e., if the MSO provides ancillary services such as lab or prescription drugs) or could equity interests be construed as an improper incentive to generate healthcare business (e.g., warrants that can only be exercised upon attainment of certain volume)?

Telehealth companies considering a sale or financing transaction, and potential buyers and investors, would be well served to spend time on the front end of a potential transaction assessing the above issues to determine potential risk areas that could impact deal terms or necessitate any friendly PC structuring.

Article By Hannah E. Zaitlin, Mitchell D. Lindstrom, David S. Sanders, and Natasha Allen of Foley & Lardner LLP

For more health law legal news, click here to visit the National Law Review.

© 2022 Foley & Lardner LLP

The Do’s and Don’ts of Data Cleaning – Don’t Drown in Bad Data

Bad CRM data can compound exponentially, impacting marketing and business development. It’s essential to understand the scope of  your data problems and follow a plan for regular data cleaning.  

Have you ever heard the saying, “No man ever steps into the same river twice”? Because a river’s water is constantly flowing and changing, the water you step in today will be different from yesterday. The same is true for the data in your CRM system: people are constantly changing roles, relocating, retiring; companies are opening, closing, moving and merging.

On top of that, new data isn’t always entered correctly. As a result, a database with clean, correct information today will not necessarily be accurate tomorrow. Over time, this bad data can compound exponentially, resulting in ineffective marketing, events and communication campaigns because as your data degrades, you reach fewer members of your target audience.

For professional services firms, poor data quality in your CRM system can also translate into a decline in system adoption. Once your professionals see bad data, they won’t trust the system as a whole and ultimately may outright refuse to use it. This is why we stress the importance of ongoing data cleaning.

Data Cleaning Do’s and Don’ts

Simply put, data cleaning involves identifying incorrect, incomplete and/or dated data in your systems and correcting and enhancing it. If you have a large database with thousands, or hundreds of thousands, of records, the data quality process can seem daunting and overwhelming.

While there’s no magic bullet or quick fix for poor data quality, ignoring data problems until there’s a crisis is not a strategy. Good data quality requires ongoing effort that never ends. The good news is that this means you have forever to get better at it. So, start now. Begin by assessing the scope of your data quality issues. Then, because it’s not always cost-effective or even possible to clean all your data, start by focusing on the highest priority projects.

Identify and Prioritize Your Most Important Data

All contact records are not created equal. For instance, client data is typically more important than non-client data. Additionally, individuals who have recently subscribed to your communications or attended an event are more important than those who last interacted with your firm years ago. Whatever segmenting scenario you select, it’s important to find ways to divide your contact data into manageable pieces because it makes the process more manageable and allows you to better measure progress.

Eliminate Stagnant Records

Related to prioritizing your data, don’t be hesitant about removing records that have been inactive for an extended period. Search your system for contacts that have not been updated for a few years, are not related to or known by any of your professionals, are not clients or alumni, and have not opened a communication or invitation in two to three years. Chances are good these records are not only outdated but also may not be worth the resources it would take to update them. Identify these records and consider removing them from the system. Less mess in your database makes cleanup a bit more manageable.

Your Plan Is Your Life Preserver

Once you’ve prioritized subsets or segments of contacts, identifying and prioritizing your most common data errors can help you decide on the best way to tackle ongoing data cleaning. For example, if you have an important email that needs to be sent to clients, you need to focus on email addresses. Identify records that don’t have an email address, have incorrectly formatted email addresses or have bounced recently.

In addition, if there are contacts you haven’t sent a communication or invitation to for an extended period of time, it’s entirely likely that their email may no longer be valid. It’s important to regularly test emails on your lists because not doing so can cause you to be blacklisted by anti-spam entities or have your account blocked by your eMarketing provider.

Initial Cleaning Cycle

The best place to start your data cleaning cycle is with a contact and list verification and cleansing service such as TrueDQ. This service will evaluate your list data, identify potentially harmful “honeypot” email addresses and even automatically update many of your contacts with current, complete contact information. The data can then also be enhanced with additional missing information, such as industries and locations, to help with targeting and segmenting.

Rinse and Repeat

When one segment or list has been cleaned, move on to the next one – bearing in mind that what’s important on the next list may be different from the last one. For example, maybe you need to send a hard copy postal mailing, so it will be important to ensure the accuracy of physical mailing addresses rather than email addresses.

Bounces and Returns

One of the most common data quality failures at law and other professional services firms is ignoring bounced emails and returned hard copy mailings. Bounces and returns are real-time indicators that can help you keep on top of your data quality. Researching and correcting them is important because sometimes they involve important former clients who could potentially hire the firm again at their new company.

Returned hard mail will often include the forwarding address of the recipient, which should be corrected in your CRM. For emails, use a central email address to collect automatic email replies, since these frequently tell you when a recipient no longer works at an organization.

Ideally, data stewards should regularly review all bounces to take the onus off the professionals. However, it can also be helpful to generate reports on bounced communications and circulate them to professionals or their assistants who may be able to provide updated information – or will at least appreciate knowing which of their contacts have moved on or changed roles.

Finally, if your eMarketing and/or CRM system has a process for automatically isolating bounced records, be sure you have a reciprocal process that automatically reinstates bounced records when the email field is updated.

Prevent Invalid Data

There are multiple ways to encourage good data habits, depending on your system and method of contact entry. If your firm relies on manual data entry, implement a firmwide Data Standards Guide to inform users how data should be entered (e.g., does your firm spell out or abbreviate job titles?). It can also be helpful to use system validation rules wherever possible to require certain information in new records such as last name, city and email address to ensure your contacts are relevant.

Finally, regularly review newly added records for consistency and completeness. This process can reveal issues such as users who may require additional training on contact input best practices. It can also help to catch spam or other potentially dangerous entries that can sometimes flow into your database from online forms that are filled out by bots.

Never, Ever Stop

Just as rivers keep flowing, so does the data in your CRM system – and the data will always need cleaning to ensure that it is fresh. While this may feel like a relentless and burdensome task, never stop – just go with the flow –  because when you’re not regularly cleaning the data, your CRM “river” can become stagnant, and the more polluted it becomes, the longer the eventual cleanup will take.

Article By Christina R. Fritsch JD and Rachel Fields of CLIENTSFirst Consulting

For more business of law legal news, click here to visit the National Law Review.

© Copyright 2022 CLIENTSFirst Consulting

ADA Compliance for Law Firm Websites in 2022

Legal reasoning involves applying the law to the facts to determine the rights and duties of those involved in a situation. Lawyers frequently take the position that the application of rules should settle disputes and that policies will be considered, if at all, only when there is a high degree of uncertainty surrounding the applicability of the rule. The lawyer might take the position that it is always preferable to seek the result that would further the underlying policies, even if that result would be contrary to the clear language of the rules.

But what if no explicit rules currently exist?

That is the issue with website compliance under the Americans with Disabilities Act (ADA). The Act does not offer specific guidelines to follow; however, websites are expected to be easily accessible to everyone, including those who are disabled. The failure to create an ADA-compliant website could expose an organization to discrimination lawsuits, financial liabilities, and severe damage to its reputation.

What is the ADA?

The ADA compels certain businesses, including banks, hotels, restaurants, public transit, law firms, and others to make accommodations for people with disabilities. According to the National Law Review, the Act is divided into three parts:

  • Title I prohibits employers from discriminating against employees based on disability and requires them to provide reasonable accommodation to certain employees under specific circumstances.
  • Title II covers state and local governments.
  • Title III covers “places of public accommodation,” which the ADA does not define, but are generally private businesses or organizations that provide goods, services, facilities, privileges, or accommodations to the public. These places commonly include schools, restaurants, health care providers, social service agencies, law firms, and more.

The ADA is commonly associated with physical locations and the accommodations that certain businesses must make for people with disabilities, which include wheelchair accessibility, reserved parking, and service animals. Companies that fall under ADA Title I and operate 20 or more weeks per year with at least 15 full-time employees, or Title III – those that fall under the category of public accommodation – must be ADA-compliant.

Although physical “brick-and-mortar” locations are nearly always considered places of public accommodation, the debate is ongoing as to whether a business’s website is a place of accommodation. If so, the digital content must be accessible to all users.

A law firm website must be designed so that those who are disabled can access it easily to comply with ADA requirements. While there are no well-defined regulations that describe precisely what an ADA-compliant website should include, businesses that fall under ADA Title I or ADA Title III are required to develop a website that offers “reasonable accessibility” to people with disabilities.

Compliance Tools & Plugins

Because the ADA doesn’t offer specific guidelines for website compliance, many organizations follow the Web Content Accessibility Guidelines 2.0 (WCAG), updated to 2.1 in 2018. While WCAG isn’t a legal requirement, its requirements have been followed in the European Union and other nations since 1999 and still serves as a reference for businesses that want to improve accessibility to their website.

Under WCAG 2.1, website accessibility concerns generally fall into four groups. These include issues that are:

  • Perceivable – issues that affect users’ ability to locate and process the information on a website, e.g., many visually-impaired individuals use screen readers to distinguish between the text and the background to help them navigate online content.
  • Operable – challenges that impair users’ ability to navigate a site, e.g., functions and navigations such as online forms should be accessible via keyboard-only commands, and users who need additional time to complete them should be allowed to do so.
  • Understandable – users should be able to comprehend the information on the site, e.g., error messages that provide an explanation and directions for correcting an error should be offered.
  • Robust – can be interpreted by various devices and platforms according to the varying needs and abilities of users, e.g., the alt text that should pop up to let users know what it is when read by assistive technology when they hover over an image.

Here are more suggestions regarding what to include to help ensure ADA website compliance:

  • “Alt” tags for every media file and map
  • Descriptive HTML tags for online forms
  • Hyperlinks with descriptive anchor text
  • “Skip navigation” links on all website pages
  • Heading tags to organize text
  • Accessible PDF files
  • Subtitles, transcripts, and audio descriptions for videos
  • Accessible fonts for all applications
  • HTML tables with column headers, row IDs, and cell information
  • Captions written in English for audio files
  • Call-to-action buttons with easily accessible names and ARIA labels
  • A website accessibility policy
  • Easy to find contact information

Meeting these guidelines will make a firm’s website more accessible to those with vision or hearing impairments, as well as cognitive, language, or learning disabilities.

Court Rulings Regarding Website ADA Compliance

According to the American Bar Association (ABA), the number of accessibility-related lawsuits filed against websites has increased dramatically in recent years. Plaintiffs are basing these lawsuits on two legal theories:

  1. Title IIIs “equal access and general nondiscrimination mandate
  2. A requirement that places of public accommodation must provide auxiliary aids and services as necessary (for no extra charge)

Although neither Title III nor its regulations mention websites and mobile applications, the phase “auxiliary aids and services” includes “accessible electronic and information technology,” which covers websites and mobile apps.

ADA Title III Lawsuits Filed Each Year Graph
Image by Seyfarth via adatitleiii.com

A recent ABA analysis of court filings related to ADA website compliance found:

  • Federal courts across the country were inundated with more than 8,000 website accessibility lawsuits between 2017 and 2020.
  • In 2020, three states – New York, Florida, and California – brought more than 85 percent of all the ADA website compliance lawsuits.
  • Since 2018, website and mobile app accessibility disputes have accounted for approximately 20 percent of all ADA Title III cases initiated in federal courts, which now regularly exceed 10,000 suits each year.

These statistics do not consider a significant number of website and mobile app cases pursued in state courts, cases settled before filing in court, and DOJ enforcement proceedings that are resolved prior to court filing.

Here are some examples of court rulings related to ADA compliance and websites:

Gil v. Winn-Dixie Stores Inc.

In June 2107, a Florida court ruled in favor of a blind plaintiff who brought an ADA violation lawsuit against Winn-Dixie. The man claimed that aspects of the supermarket chain’s site weren’t compatible with screen readers, leaving him unable to order his medications online or download rewards cards. The trial court agreed that the website was inaccessible to those with impaired vision and ordered that it be brought into compliance with the WCAG 2.0 Level AA.

Although Winn-Dixie complied with the court order, in April 2021, the Eleventh Circuit Court of Appeals overturned the trial court’s decision, finding that Winn-Dixie was not in violation of the ADA because it did not need accessibility aids to conduct business. After that, however, Winn-Dixie posted an accessibility statement on its website that commits to adhere to WCAG 2.0 AA by using testers from the disability community to check the accessibility of their website periodically.

Robles v. Domino’s Pizza

Domino’s Pizza lost a website accessibility lawsuit in 2019 after years of exhaustive litigation when a federal district court in California granted the plaintiff’s motion for summary judgment after it determined that the website was indeed not fully accessible. The court ordered Domino’s to make its website compliant with the WCAG 2.0 to connect customers to the goods and services of Domino’s physical restaurants.

The court held that the ADA applied to Domino’s website and app because the Act requires places of public accommodation, like Domino’s, to offer auxiliary aids and services to make visual materials available to blind individuals. Although customers primarily access the Domino’s website and app outside its physical restaurants, the court found that the Act pertains to the services of public accommodation, not services in a place of public accommodation.

Andrews v. Blick Art Materials

In 2017, Victor Andrews, who is blind, filed a lawsuit against Blick Art Materials for website inaccessibility. Andrews alleged that because Blick’s website was inaccessible, he could not navigate and purchase items on the defendant’s website independently. When Blick made a motion to dismiss the lawsuit, Judge Jack Weisenstein denied it and made this statement:

Today, internet technology enables individuals to participate actively in their community and engage in commerce from the comfort and convenience of their home. It would be a cruel irony to adopt the interpretation of the ADA espoused by Blick, which would render the legislation intended to emancipate the disabled from the bonds of isolation and segregation obsolete when its objective is increasingly within reach.

The ruling in this case and others illustrates that businesses need to consider their websites equivalent to a place of public accommodation, which puts them at risk of being sued, even without explicit web accessibility regulations.

Latest DOJ Guidelines

In 2010, the Department of Justice (DOJ) launched a rulemaking process to address ADA requirements for website accessibility, including technical standards for accessible websites. However, that effort stalled for seven years during the Obama administration (even though the administration continued to pursue investigations and enforcement actions against businesses with inaccessible websites).

The Trump administration abandoned the process to interpret the ADA entirely in 2017. In 2018, the DOJ revealed that it would not give official guidance regarding website accessibility under the Act, releasing this statement:

The Department is evaluating whether promulgating regulations about the accessibility of Web information and services is necessary and appropriate. Such an evaluation will be informed by additional review of data and further analysis. The Department will continue to assess whether specific technical standards are necessary and appropriate to assist covered entities with complying with the ADA.

Since the DOJ’s withdrawal, the number of lawsuits involving website accessibility increased dramatically, raising awareness regarding website accessibility among businesses but also causing confusion surrounding what features an ADA-compliant website should include. As a result, numerous website accessibility consulting companies emerged promising inexpensive solutions. However, some have been challenged in court.

In June 2018, some bipartisan members of the U.S. House of Representatives sent a letter to Attorney General Jeff Sessions encouraging the DOJ to release clear website accessibility regulations to diminish the unclear nature of current legislation. On September 25, 2018, the DOJ responded by stating that, at this time, the DOJ would not be issuing web accessibility regulations under the ADA: “The Department has consistently taken the position that the absence of a specific regulation does not serve as a basis for noncompliance with a statute’s requirements.”

In March 2022, the DOJ issued further web accessibility guidance under the ADA. The “new” guidance references both the WCAG – which are voluntary – and Section 508 standards, which set standards for federal websites, and indicates that the DOJ supports the notion that sites of public accommodation must be accessible, and in the absence of explicit regulations, websites can be flexible in how they choose to comply with the ADA’s requirements. However, the guidance does not clarify what such flexibility or choice entails and– not necessarily the direction regulation-seekers are looking for, since it provides no substantially new information regarding the vagueness of website accessibility requirements under the ADA.

Final Thoughts

As accessibility regulations for websites remain unclear, it can be easy for organizations to assume that they cannot be sued for noncompliance. However, with no specific standards to follow, law firms and other businesses must do their best to interpret the ADA, practice website accessibility as they see fit, and try to avoid website accessibility-related lawsuits.

One more thing to consider: ambiguity runs both ways, and even though an organization might think its website is accessible, a disabled person might think otherwise, providing the grounds for a lawsuit. Organizations aren’t granted immunity simply because of a lack of clarity in legislation. Instead, uncertainty allows for interpretation by anyone, including the courts.

This article was authored by Jan Hill of Lawmatics.

For more business of law legal news, click here to visit the National Law Review.

©2022 — Lawmatics

Ankura Cyber Threat Intelligence Bulletin: August – September 2022

Over the past sixty days, Ankura’s Cyber Threat Investigations & Expert Services (CTIX) Team of analysts has compiled key learnings about the latest global threats and current cyber trends into an in-depth report: The Cyber Threat Intelligence Bulletin. This report provides high-level executives, technical analysts, and everyday readers with the latest intel and insights from our expert analysts.

Download the report for an in-depth look at the key cyber trends to watch and help safeguard your organization from constantly evolving cyber threats with the latest cyber intelligence, ransomware, and threat insights.

 Our latest report explains the following observations in detail:

Law Enforcement Works with Threat Intelligence to Prosecute Human Traffickers

In the age of high-speed internet and social media, criminals have evolved to use information technology to bolster their criminal enterprises and human traffickers are no different. Whether it be through the clearnet or dark web, human traffickers have leveraged the internet to scale their operations, forcing law enforcement to reevaluate how to best combat this problem. In response to the changes in trafficker tactics, techniques, and procedures (TTPs), governments across the world have responded with legislation and policies in an attempt to better thwart the efforts of these criminals. Researchers from Recorded Future’s Insikt Group have published compelling reports as a proof-of-concept (PoC) for a methodology on how law enforcement agencies and investigators can utilize real-time threat intelligence to leverage sources of data in order to aid in tracking, mitigating, and potentially prosecuting human sex traffickers. Download the full report for additional details on law enforcement efforts to prosecute human traffickers and more on the Insikt Group’s findings.

Emerging Threat Organization “MONTI”: Sister Organization or Imposter Threat Group?

Over the past several weeks a new, potentially imposter, threat organization has mimicked the tactics, techniques, procedures (TTPs), and infrastructure of the Conti Ransomware Group. Tracked as MONTI, this doppelganger organization emerged in the threat landscape in July 2022 after compromising a company and encrypting approximately twenty (20) hosting devices and a multi-host VMWare ESXi instance tied to over twenty (20) additional servers. While the July attack pushed the group into the limelight, analysts believe that attacks from the doppelganger organization go back even further into the early summer of 2022. Similarities discovered between Conti Ransomware and the alleged spinoff Monti Ransomware include attack TTPs alongside the reuse of Conti-attributed malicious payloads, deployed tools, and ransom notes. Additionally, the encrypted files exfiltrated by Monti contain nearly identical encryption, which could indicate code re-usage. Read the full report to find out what CTIX analysts expect to see from this group in the future.

Figure 1: Conti Ransom Note

Figure 2: Monti Ransom Note

Iranian State-Sponsored Threat Organization’s Attack Timeline Targeting the Albanian Government

In July 2022, nation-state Iranian threat actors, identified by the FBI as “Homeland Justice”, launched a “destructive cyber-attack” against the Government of NATO-member Albania in which the group acquired initial access to the victim network approximately fourteen (14) months before (May of 2021). During this period, the threat actors continuously accessed and exfiltrated email content. The peak activity was observed between May and June of 2022, where actors conducted lateral movements, network reconnaissance, and credential harvesting.

This attack and eventual data dumps were targeted against the Albania-based Iranian dissident group Mujahideen E-Khalq (MEK), otherwise known as the People’s Mojahedin Organization of Iran. MEK is a “controversial Iranian resistance group” that was exiled to Albania and once listed by the United States as a Foreign Terrorist Organization for activity in the 1970s but was later removed in late 2012. Albania eventually severed diplomatic ties with Iran on September 7, 2022, and is suspected to be the first country to ever have done so due to cyber-related attacks. For a more detailed analysis of this attack and its ramifications, download our full report.

 Figure: Homeland Justice Ransom Note Image

Banning Ransomware Payments Becomes Hot-Button Issue in State Legislature

There is a debate occurring in courtrooms across the United States regarding the ethics and impacts of allowing businesses to make ransomware payments. North Carolina and Florida have broken new ground earlier this year passing laws that prohibit state agencies from paying cyber extortion ransom demands. While these two (2) states have been leading the way in ransomware laws, at least twelve (12) other states have addressed ransomware in some way, adding criminal penalties for those involved and requiring public entities to report ransomware incidents. Download the full report to discover what experts think of government ransomware payment bans and the potential effects they could have on ransomware incidents.

Threat Actor of the Month: Worok

ESET researchers discovered a new cluster of the long-active TA428 identified as “Worok.” TA428 is a Chinese advanced persistence threat (APT) group first identified by Proofpoint researchers in July 2019 during “Operation LagTime IT”, a malicious attack campaign targeted against government IT agencies in East Asia. Download the full report for an in-depth look at Worok’s tactics and objectives, and insights from our analysts about the anticipated future impact of this group.

New List of Trending Indicators of Compromise (IOCs)

IOCs can be utilized by organizations to detect security incidents more quickly as indicators may not have otherwise been flagged as suspicious or malicious. Explore our latest list of technical indicators of compromise within the past sixty (60) days that are associated with monitored threat groups and/or campaigns of interest.

Article By Ted Theisen and Jason Hale of Ankura

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Ankura Consulting Group, LLC. All rights reserved.

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

The Top 10 Do’s and Don’ts of Selling a Cell Lease

When you sell a cell lease, in addition to assigning the lease and rents to the purchaser, you also sell the purchaser the right to put communications antennas on your property for 50 years or more. Done properly, this can be very advantageous, but if done improperly, the right, coupled with its lengthy term, can be harmful, especially for valuable properties.

While the intricacies of such sales should be left to professionals (the sale documents are often 15-20 pages long to protect the property owner), here is a short list of items unique to cell lease sales which property owners should keep in mind. This list is based on years of experience helping clients sell over 100 leases.

  1. Sell the cell lease first if you will be selling the property with the lease. Recently, leases have sold for around 20 times annual revenues. Done properly, a lease sale will add dollar for dollar to the sales price of the property it’s on.
  2. Don’t use the documents from the purchaser without extensively revising them (we often toss them out and use our own documents). They are usually so overreaching that using them “as is” can reduce or destroy the value of the property with the lease.
  3. Include provisions protecting the future use, development and value of the property with the lease.
  4. Have a relocation provision so you can require the leased area to be moved to another location on the property if needed for the maintenance, repair or redevelopment of the property.

The following items are particularly important for areas where the leased space is on a building rather than for a tower on open land. Buildings are generally much more valuable than open land (so the potential harm from bad terms is greater), there often are two or more parcels being leased (equipment on the ground, antennas on the roof, cables in between) and property owners need to be specific on the rights being sold and retained.

  • Clearly describe, with engineering drawings if needed, the areas of the building the purchaser can use.
  • Spell out the types of communications uses the purchaser can conduct and the equipment it may place in these areas.
  • Also spell out the rights the building owner and tenants retain to use these same areas (as well as other parts of the building) for their antennas, HVAC, elevators, etc.
  • Describe the types of communications uses and radios that the building owner, residents and tenants have retained and do not violate the sale.
  • Attach engineering drawings showing the equipment currently on the building.
  • Require landlord approval of changes to the preceding and the reasons the approval can be withheld.

Article By John W. Pestle and Peter A. Schmidt of Varnum LLP

For more communications, media, and internet legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Federal Agencies Announce Investments and Resources to Advance National Biotechnology and Biomanufacturing Initiative

As reported in our September 13, 2022, blog item, on September 12, 2022, President Joseph Biden signed an Executive Order (EO) creating a National Biotechnology and Biomanufacturing Initiative “that will ensure we can make in the United States all that we invent in the United States.” The White House hosted a Summit on Biotechnology and Biomanufacturing on September 14, 2022. According to the White House fact sheet on the summit, federal departments and agencies, with funding of more than $2 billion, will take the following actions:

  • Leverage biotechnology for strengthened supply chains: The Department of Health and Human Services (DHHS) will invest $40 million to expand the role of biomanufacturing for active pharmaceutical ingredients (API), antibiotics, and the key starting materials needed to produce essential medications and respond to pandemics. The Department of Defense (DOD) is launching the Tri-Service Biotechnology for a Resilient Supply Chain program with a more than $270 million investment over five years to turn research into products more quickly and to support the advanced development of biobased materials for defense supply chains, such as fuels, fire-resistant composites, polymers and resins, and protective materials. Through the Sustainable Aviation Fuel Grand Challenge, the Department of Energy (DOE) will work with the Department of Transportation and the U.S. Department of Agriculture (USDA) to leverage the estimated one billion tons of sustainable biomass and waste resources in the United States to provide domestic supply chains for fuels, chemicals, and materials.
  • Expand domestic biomanufacturing: DOD will invest $1 billion in bioindustrial domestic manufacturing infrastructure over five years to catalyze the establishment of the domestic bioindustrial manufacturing base that is accessible to U.S. innovators. According to the fact sheet, this support will provide incentives for private- and public-sector partners to expand manufacturing capacity for products important to both commercial and defense supply chains, such as critical chemicals.
  • Foster innovation across the United States: The National Science Foundation (NSF) recently announced a competition to fund Regional Innovation Engines that will support key areas of national interest and economic promise, including biotechnology and biomanufacturing topics such as manufacturing life-saving medicines, reducing waste, and mitigating climate change. In May 2022, USDA announced $32 million for wood innovation and community wood grants, leveraging an additional $93 million in partner funds to develop new wood products and enable effective use of U.S. forest resources. DOE also plans to announce new awards of approximately $178 million to advance innovative research efforts in biotechnology, bioproducts, and biomaterials. In addition, the U.S. Economic Development Administration’s $1 billion Build Back Better Regional Challenge will invest more than $200 million to strengthen America’s bioeconomy by advancing regional biotechnology and biomanufacturing programs.
  • Bring bioproducts to market: DOE will provide up to $100 million for research and development (R&D) for conversion of biomass to fuels and chemicals, including R&D for improved production and recycling of biobased plastics. DOE will also double efforts, adding an additional $60 million, to de-risk the scale-up of biotechnology and biomanufacturing that will lead to commercialization of biorefineries that produce renewable chemicals and fuels that significantly reduce greenhouse gas emissions from transportation, industry, and agriculture. The new $10 million Bioproduct Pilot Program will support scale-up activities and studies on the benefits of biobased products. Manufacturing USA institutes BioFabUSA and BioMADE (launched by DOD) and the National Institute for Innovation in Manufacturing Biopharmaceuticals (NIIMBL) (launched by the Department of Commerce (DOC)) will expand their industry partnerships to enable commercialization across regenerative medicine, industrial biomanufacturing, and biopharmaceuticals.
  • Train the next generation of biotechnologists: The National Institutes of Health (NIH) is expanding the Innovation Corps (I-Corps™), a biotech entrepreneurship bootcamp. NIIMBL will continue to offer a summer immersion program, the NIIMBL eXperience, in partnership with the National Society for Black Engineers, which connects underrepresented students with biopharmaceutical companies, and support pathways to careers in biotechnology. In March 2022, USDA announced $68 million through the Agriculture and Food Research Initiative to train the next generation of research and education professionals.
  • Drive regulatory innovation to increase access to products of biotechnology: The Food and Drug Administration (FDA) is spearheading efforts to support advanced manufacturing through regulatory science, technical guidance, and increased engagement with industry seeking to leverage these emerging technologies. For agricultural biotechnologies, USDA is building new regulatory processes to promote safe innovation in agriculture and alternative foods, allowing USDA to review more diverse products.
  • Advance measurements and standards for the bioeconomy: DOC plans to invest an additional $14 million next year at the National Institute of Standards and Technology for biotechnology research programs to develop measurement technologies, standards, and data for the U.S. bioeconomy.
  • Reduce risk through investing in biosecurity innovations: DOE’s National Nuclear Security Administration plans to initiate a new $20 million bioassurance program that will advance U.S. capabilities to anticipate, assess, detect, and mitigate biotechnology and biomanufacturing risks, and will integrate biosecurity into biotechnology development.
  • Facilitate data sharing to advance the bioeconomy: Through the Cancer Moonshot, NIH is expanding the Cancer Research Data Ecosystem, a national data infrastructure that encourages data sharing to support cancer care for individual patients and enables discovery of new treatments. USDA is working with NIH to ensure that data on persistent poverty can be integrated with cancer surveillance. NSF recently announced a competition for a new $20 million biosciences data center to increase our understanding of living systems at small scales, which will produce new biotechnology designs to make products in agriculture, medicine and health, and materials.

A recording of the White House summit is available online.

Article By Lynn L. Bergeson and Carla N. Hutton of Bergeson & Campbell, P.C.

For more environmental, energy, and resources legal news, click here to visit the National Law Review.

©2022 Bergeson & Campbell, P.C.

6 Tips to Better Organization for Lawyers

Practicing law involves managing countless details and deadlines. For this reason, organization for lawyers can become a challenge for many lawyers in a high-paced law firm juggling various projects.

Without essential organization skills or resources to support the workload, it’s easy for information or tasks to innocently fall through the cracks. Adversely, this can leave lawyers feeling burnout or overwhelmed which could lead to a deterioration of quality of service, impacting overall client satisfaction.

Maintaining organization for lawyers is more than having pristine files and an uncluttered office — it includes critical skills like strategic planning, time management, and task prioritization.

Why Do Lawyers Struggle with Organization?

For years, lawyers were often depicted as busy professionals constantly shuffling through papers and running to the courthouse. Remote work and the rise in legal technology have certainly modernized a lawyer’s day-to-day activities, but that doesn’t mean those tasks are necessarily organized.

Lawyers have a lot to manage in a high-stress, high-performance environment. Often, this can lead to a system of organization that’s known only to the lawyer — billable hours written on sticky notes, case files interspersed with other papers, and deadlines tracked on a notepad. To avoid chaos, here are a few tips to have a more organized work life.

Organization for Lawyers: 6 Tips

Maintain an Organized Workspace

There’s no right or wrong way to set up an office or workspace, but it should work for you. That said, clutter can be a barrier to organization. Keep your desk tidy and free of clutter. Put away anything you’re not working on right now and gather loose documents and file them.

If your law firm relies on paper, consider the benefits of transitioning to a digital process. Lawyers have traditionally dealt with mass amounts of paper which can lead to disorganization and hinder productivity. Limiting the amount of paper you use in your day-to-day with a digital filing system will greatly improve the accessibility you have to the work you need.

Establish a Routine

While we all have the same amount of hours in the day, the way we use them directly impacts our productivity.

Highly productive people often start the day with a priority to-do list that reflects the tasks that absolutely must get done that day. The rest are tasks that you could do, if you have time, to get a jump on the next day’s work.

When you’re planning your routine, be sure to leave time to make calls and emails, take a break, and have lunch. Before signing off for the day, take a few minutes to create your priority to-do list for the next day.

Block Time

We’re more connected than ever before, which comes with the pressure to stay in touch with work colleagues, family, and friends at all times. Our devices can become a source of distraction instead of productivity at work.

This is where blocking time comes in handy. For some, using time blocks and a calendar is more effective than to-do lists. Use your calendar as a time-blocking tool and divide your day into different blocks of time, each with a specific task.

Improve Time Management

Lawyers often find themselves struggling to balance time spent on non-billable administrative tasks and their caseload.

Fortunately, legal project management tools can help with time management, time tracking, and overall organization, with project management features to manage your caseload along with time tracking and billing functionalities. The right platform allows you to separate time and expenses, add notes or related files, collaborate with colleagues, and set customizable notifications to ensure you’re focused on the highest-priority tasks.

Commit to Better Communication

One of the casualties of disorganization is a reduction in client satisfaction. This can be due to a decrease in the quality of service a lawyer provides because they’re so busy.

A simple way to combat this is by blocking time, but also leveraging modern technology to streamline your communication. Features like client portals are a way for clients to feel connected to your firm while also having on-demand access to the information they need.

Track Time in Real Time

When you’re shuffling between cases, it can be easy to lose track of your billable time. This is why it’s important to have resources that allow lawyers to work as they go without having to guess how many hours they spent on a client.

Neither overestimating nor underestimating billable hours is good for a law firm. If you overestimate your time, you could be in violation of the American Bar Association’s Rule 1.5 on billing and fees. If you underestimate your time, you’re leaving money on the table for valuable services you’ve provided to your client.

Tracking time in real-time is important for accuracy and your organization’s well-being. Time tracking tools allow you to set timers on your laptop, tablet, smartphone, or desktop.

Proper timekeeping not only helps you stay organized and bill accurately, but it helps you identify where you could improve your time management and productivity to get more accomplished in your day.

How Legal Technology Keeps Lawyers Organized

Law practice management software offers plenty of tools to help you stay organized. Time tracking, project management, and document management tools ensure you can organize files, plan your calendar and tasks, communicate with clients, and track time to improve your productivity from anywhere.

Organized Lawyers Are an Asset

Firms and clients realize the value of having modern processes to assist lawyers with staying on top of tasks and deadlines. It may not happen overnight, but taking steps toward better organization with tools like law practice management software will improve your efficiency and productivity.

This article was authored by Nina Lee of Bill4Time.

For more law office management news updates, click here to visit the National Law Review.

©2006-2022, BILL4TIME. ALL RIGHTS RESERVED.