WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Article By Sheila A. Millar and Tracy P. Marshall of Keller and Heckman LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Four Indicted for $16 Million Money Laundering Scheme

Four Indicted for $16 Million Money Laundering Scheme

On March 23, 2022, an indictment was unsealed in the Western District of Arkansas, charging four men for their involvement in wire fraud and money laundering schemes involving fake investment offerings amounting to an alleged $16 million.

According to court documents, the four men allegedly engaged in an investment fraud scheme between 2013 and 2021 in which they falsely represented the nature of their investment offerings and promised large returns, which they could not and did not yield. The indictment also alleges that two of the defendants encouraged victims to send their funds to bank accounts controlled by the other two defendants, and then transferred the money through a complex series of accounts worldwide.

The defendants were charged with wire fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. One defendant was further charged with money laundering. If convicted, the men will face up to 20 years in prison for each count. The additional count of money laundering carries an additional sentence of up to 10 years.

The DOJ press release can be found here.

California Man Pleads Guilty To Stealing Government COVID-19 Relief Funds

On March 18, 2022, a California man pleaded guilty in the Central District of California to misappropriating COVID-19 relief funds obtained through the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

Under the CARES Act Provider Relief Fund, CARES Act health care providers who were financially harmed by the impact of the COVID-19 pandemic are granted federal funds to provide care to patients suffering from COVID-19. According to court documents, the defendant admitted he owned a hospice agency in North Hollywood that was never operational during the COVID-19 pandemic, yet he received approximately $89,162 designated for the medical treatment and care of COVID-19 patients. The defendant admitted he misappropriated the CARES Act funds by spending them for his personal use and then transferring the funds to family members, including one family member in Armenia, rather than using the funds in any way related to the pandemic relief efforts as required.

As part of his guilty plea, the defendant further admitted that he submitted five Economic Injury Disaster Loan (EIDL) applications to the Small Business Administration (SBA) on behalf of his hospice agency and four other entities he controlled. As a result of his fraudulent applications, the SBA disbursed approximately $428,100 in EIDL funds to the man, which he used for his benefit against EIDL requirements.

The man pleaded guilty to three counts of theft of government property and is scheduled to be sentenced on June 13, facing up to 10 years in prison for each count.

The DOJ press release can be found here.

New Jersey Man Convicted for Fraudulently Obtaining US Visas for Chinese Government Employees

On March 23, 2022, a New Jersey man was convicted by a federal jury of one count of conspiracy to defraud the United States and to commit visa fraud for his participation in a conspiracy to fraudulently obtain United States visas for Chinese government employees.

According to court documents, the defendant was involved in a scheme to fraudulently obtain J-1 research scholar visas for employees of the government of the People’s Republic of China (PRC) to allow them to covertly work for the PRC government while in the United States. The defendant operated an office of the China Association for the International Exchange of Personnel (CAIEP), an agency of the PRC government, in New Jersey that seeks to recruit US scientists, academics, engineers, and other experts for the PRC.

The J-1 research scholar program allows foreign nationals to visit the United States to conduct research at a corporate research facility, library, museum, university, or other research institution. The defendant allegedly worked to obtain a J-1 research scholar visa for a prospective employee based on the false representation that the employee would conduct research at a United States university, to conceal unlawful work of another employee who was present in the United States on a J-1 visa sponsored by a US university. The two employees represented to the US government that they were entering the US for the primary purpose of conducting research at US universities, but their actual purpose consisted of working for the CAIEP. The defendant reported the employee’s arrival to the United States to the US universities, procured a local driver’s license for her and disguised her CAIEP salary as a subsidy for research scholar living expenses to make her presence as a research scholar appear legitimate.

As a result of his conviction, the defendant faces a maximum sentence of five years; he is scheduled to be sentenced on July 11.

The Department of Justice (DOJ) press release can be found here.

UPS To Pay $5.3 Million for False Claims Act Allegations

On March 21, 2022, the DOJ announced that United Parcel Service Inc. (UPS) agreed to pay approximately $5.3 million to settle allegations that the company falsely reported information about the transfer of U.S. mail to foreign posts or other intended recipients under contracts with the U.S. Postal Service (USPS), in violation of the False Claims Act (FCA).

UPS was engaged by USPS to pick up U.S. mail at various locations and deliver it to its international and domestic destinations. As a condition of payment, UPS was required to submit electronic scans to USPS to report when the mail was delivered, and there were specified penalties for mail that was delivered late or to the wrong location. The settlement resolves allegations that scans submitted by UPS were falsified times and that UPS, in fact, transferred possession of the mail.

According to DOJ, this is the fifth civil settlement involving air carrier liability for false delivery scans under the USPS International Commercial Air Contracts, pursuant to which the United States has recovered more than $70 million.

The DOJ press release can be found here.

Article By D. Jacques Smith, Randall A. Brater, Mattie Bowden, and Rebecca W. Foreman of ArentFox Schiff LLP

For more white collar crime legal news, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

New UK IDTA and Addendum Come Into Force

The new UK International Data Transfer Agreement (“IDTA”) and Addendum to the new 2021 EU Standard Contract Clauses (“New EU SCCs”) are now in force (as of the 21 March 2022), providing much needed certainty for UK organisations transferring personal data to service providers and group companies based outside of the UK/EEA.

The IDTA and Addendum replace the old EU Standard Contractual Clauses  (“Old EU SCCs”) for use as a UK GDPR-compliant transfer tool for restricted transfers from the UK, which also enables UK data exporters to comply with the European Court of Justice’s ‘Schrems II’ judgement.

For new UK data transfer arrangements or where UK organisations are in the process of reviewing their existing arrangements, use of the new ITDA or Addendum would be the best option to seek to future proof against the need to replace them in 2 years’ time.

Where the data flows involve transfers of personal data from both the UK and the EU, the use of the Addendum alongside the New EU SCCs, will enable organisations to implement a more harmonised solution.

To view copies of the documents please follow the links below:

To read our previous blog post on this topic, click here.

Article By Francesca Fellowes of Squire Patton Boggs (US) LLP. Hannah-Mei Grisley also contributed to this article.

For more data privacy legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Fleeing Ukrainians to Get More Help From United States

The United States has joined many European countries that are opening their doors and offering humanitarian assistance to fleeing Ukrainians.

Ireland, Great Britain and Canada have all started private sponsorship programs for Ukrainians. That assistance is not necessarily a one-way street. Easing the way for incoming Ukrainians may help those nations deal with their own labor shortages.

Ukraine is known for its skilled workforce, including tech engineers, and some companies in Europe are specifically targeting jobs for Ukrainians, offering everything from language training to child care to attract the refugees. Even temporary employment agencies are involved and new companies are being founded for the purpose of matching Ukrainians to jobs across Europe – jobs that run the gamut from highly skilled tech work, to healthcare aids, to retail and hospitality positions.

U.S. employers are generously offering humanitarian aid and donations to help Ukrainian refugees, but now those employers may be able to offer jobs to displaced Ukrainians seeking refuge. The Biden Administration will open various legal pathways that could include the refugee admissions program (which can lead to permanent residence through asylum, but is a long process), visas, and humanitarian parole (a temporary solution). The focus will be on Ukrainians with family in the United States or others considered to be particularly vulnerable. Approximately 1,000,000 people of Ukrainian descent currently live in the United States.

The administration originally believed that most Ukrainians did not want to flee to the United States because it was too far away from other family members who have remained in Ukraine. Secretary of State Antony Blinken had stated that the priority was to help European countries who are the dealing with huge waves for migration instead. But advocates have been arguing that the administration could create special status for Ukrainians to allow them to enter the U.S. or stay with family members.

In early March, the Biden Administration established Temporary Protected Status (TPS) for Ukrainians who have been in the United States continuously since March 1, 2022, but that did not help those who are still abroad. Visitor visas are hard to come by because applicants for visitor visas need to be able to show that their stay will be temporary and that they have a home to return to in Ukraine, and such temporary nonimmigrant visas may not meet that criterion or be practical in most of these situations. Moreover, consulates abroad are already overwhelmed and understaffed due to COVID-19.

While small numbers of Ukrainians have made it to the United States by finding private or family sponsors, this new policy should at least open the doors to some Ukrainians and likely make it possible for U.S. companies to hire some of the incoming refugees. They will need and want employment, but they will also need support.

Article By Forrest G. Read IV of Jackson Lewis P.C.

For more immigration-related legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2022

HHS OIG Signs Off on Substance Use Recovery Incentive Program

On March 2, 2022, the Department of Health and Human Services (“HHS”) Office of the Inspector General (the “OIG”) issued a new advisory opinion (“AO 22-04”) related to a program through which the Requestor would provide certain individuals access to digital contingency management (“CM”) and related tools to treat substance use disorders (“Program”).  The OIG advised that it would not impose administrative sanctions under the Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty Law (“CMPL”).

The Requestor, a digital health company, offers a Program that uses smartphone and smart debit card technology to implement CM for individuals with substance use disorders, addressing aspects of these disorders “in ways that conventional counseling and medications often cannot.” The Requestor makes this technology available to individuals who meet certain requirements through contracts with a variety of entities, such as health plans, addiction treatment providers, employee assistance programs, research institutions, and other treatment providers (“Customers”).

Individuals (‘Members”) are Customer- or self-referred, and are subject to a structured interview using the American Society of Addiction Medicine Continuum Triage tool before participation in the Program. The Requestor’s enrollment specialist, under the guidance of a licensed clinical supervisor, determines the type of services and frequency of recovery coaching using an evidence-based, automated algorithm. The Program technology establishes the schedule of expected target behavioral health events, objectively validates whether each expected event has occurred, and, if it has, promptly disburses the exact, protocol-specified incentive to the Member, using (where appropriate) a progressive reinforcement schedule.

The Program is not limited to treatments or federally reimbursable services; it also includes, among other features, support groups, medication reminders, and appointment attendance verification. For those that do include federally reimbursable services, the Requestor advised that such services may be furnished by a Customer. Incentives from the Program are provided to Members via a “smart debit card.” The card includes “abuse and anti-relapse protections (e.g., it cannot be used at bars, liquor stores, casinos, or certain other locations nor can it be used to convert credit to cash at ATMs or gas stations)”, and allows the Requestor to monitor use. Incentives are capped at $200/month and $599/year; individual incentives are typically relatively small, at $1-$3.

The Requestor receives fees from Customers on either a flat monthly basis, per eligible, active Member, or a pay-for-performance model, in which Requestor is paid upon a Member achieving certain agreed-upon targets for abstinence. The Requestor certified that the aggregate fees are consistent with fair market value and do not vary based on the volume or value of business generated under federal health care programs. Instead, fees are based on the service configurations being purchased and the intensity of behavioral targets that are planned for each Member, as well as whether a member is low- or high-risk, and in or out of treatment.

OIG concluded that two stream of remuneration potentially implicate the AKS and CMPL.  First, Customers pay Requestor a fee to provide services, some of which could incentivize a Member to receive a federally billable service. Second, some of the fees Customers pay to Requestor get passed on to Members as CM Incentives for achieving certain behavioral health goals, some of which may involve services that could be billable to Federal health care programs (e.g., a counseling session) by a particular provider or supplier, which could be a Customer. OIG noted its longstanding concerns relating to the offer of incentives intended to induce beneficiaries to obtain federally reimbursable items and services, as such incentives could present significant risks of fraud and abuse.

The OIG concluded that the Program presents a minimal risk of fraud and abuse and declined to impose sanctions, providing four justifications –

  1. The Requestor certified that the Program is based in research, and provided evidence that CM is a “highly effective, cost-efficient treatment for individuals with substance use disorders.” Therefore, the OIG decided that, taken together with the other safeguards present in the Arrangement, the incentives in the Requestor’s Program serve as “part of a protocol-driven, evidence-based treatment program rather than an inducement to seek, or a reward for having sought, a particular federally reimbursable treatment.”
  2. The incentives offered through the Program have a relatively low value and a cap, and largely are unrelated to any federally payable services, especially as the Requestor is not enrolled in and does not bill to federal health care programs for Program services. Therefore, the OIG determined that the risk of the incentives “encouraging overutilization of federally reimbursable services is low.”
  3. The Requestor’s Customer base is not limited to entities that have an incentive to induce receipt of federally reimbursable services. While the OIG acknowledged that there may be instances where an incentive may be given for receiving a federally billable service, the fees do not vary based on volume or value of any federally reimbursable services, and the Customers do not have control of the Program. Therefore, the OIG determined that the risk is low an entity would become a Customer to “generate business or reward referrals.”
  4. Although the incentives loaded onto a smart debit card function as cash equivalents, the OIG found the safeguards included in the Arrangement sufficient to mitigate fraud and abuse concerns. The Requestor, which does not bill federal health care programs or have an incentive to induce overutilization, determines what services an individual needs and what incentives are attached. Additionally, the smart debit card has “anti-relapse protections”, which can signal possible need for intervention. Therefore, the OIG concluded that the remuneration in the form the smart debit card is sufficiently low risk.

AO 22-04 reflects HHS’s continued aims to increase flexibility around substance use disorder treatments.  Just two weeks before, HHS announced two grant programs, totaling $25.6 million, to expand access to medication-assisted treatment for opioid use disorder and prevent the misuse of prescription drugs. In a press release, HHS Secretary Xavier Becerra is quoted as saying, “At HHS we are committed to addressing the overdose crisis, and one of the ways we’re doing this is by expanding access to medication-assisted treatment and other effective, evidenced-based prevention and intervention strategies.” HHS’ “National Tour to Strengthen Mental Health” is intended to “hear directly from Americans across the country about the challenges they’re facing, and engage with local leaders to strength the mental health and crisis care in our communities”, focused on three aspects: mental health, suicide, and substance use. Further flexibilities should be anticipated in these areas as the Tour continues.

Anyone seeking treatment options for substance misuse should call SAMHSA’s National Helpline at 800-662-HELP (4357) or visit findtreatment.gov. If you or anyone you know is struggling with thoughts of suicide, please call the National Suicide Prevention Lifeline at 800-273-TALK (8255), or text the Crisis Text Line (text HELLO to 741741).

Article By Christine M. Clements and Theresa E. Thompson of Sheppard, Mullin, Richter & Hampton LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

DOJ Aggressively Targeting PPP Loan Recipients for Fraud: What Businesses Need to Know

More than five million businesses applied for emergency loans under the Paycheck Protection Program (PPP), and with a hurried implementation that prevented a full diligence process, it’s not surprising the program became a target for fraud. The government is now aggressively conducting investigations, employing both criminal and civil enforcement actions. On the civil lawsuit front, companies that received PPP loans should be aware of actions brought under the False Claims Act (FCA) and the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA). This advisory details some of the key points of these enforcement tools and what the government looks for when prosecuting fraudulent conduct.

How will PPP Loan Fraud Enforcement Under the FCA Work?

A company can be liable under the FCA if it knowingly presents a false or fraudulent claim for payment or approval to the government or uses a falsified record in the course of making a false claim. 31 U.S.C. § 3729(a)(1)(A), (B). The FCA allows the government to recover up to three times the amount of the damages caused by the false claims in addition to financial penalties of not less than (as adjusted for inflation) $12,537, and not more than $25,076 for each claim.

The FCA can be enforced by individuals through qui tam lawsuits. This means a private individual, known as a relator, can file a lawsuit on behalf of the government. When a qui tam case is filed, it remains confidential (under seal) while the government reviews the claim and decides whether to intervene in the case. If the lawsuit is successful, the relator is entitled to a portion of the reward.

The False Claims Act has been used to pursue fraud claims in connection with PPP loan applications. Any company that participated in the PPP by applying for a loan should retain documentation justifying all statements made on the loan application and evidencing how any funds obtained through the loans were utilized.

How will PPP Loan Fraud Enforcement Under FIRREA Work?

The government is also utilizing FIRREA in response to fraudulent conduct related to PPP loans. FIRREA is a “hybrid” statute, predicating civil liability on the government’s ability to prove criminal violations. The statute allows the government to recover penalties against a person who violates specifically enumerated criminal statutes such as bank fraud, making false statements to a bank, or mail or wire fraud “affecting a federally insured financial institution.” 12 U.S.C. §1833a.

To establish liability under FIRREA, the government does not have to prove any additional element beyond the violation of that offense and that the violation “affect[ed] a federally insured financial institution.” The government has invoked FIRREA in the context of PPP loan fraud by stating the fraud related to obtaining the loan falls under one or more of the predicate offenses set forth in the statute.

What Factors Determine PPP Loan Fraud Penalties Under FIRREA?

While the assessment of a penalty is mandatory under FIRREA, the amount of the penalty is left to the discretion of the court but may not exceed $1.1 million per offense. There is an exception to this maximum penalty, however, if the person against which the action is brought profited from the violation by more than $1.1 million. FIRREA then allows the government to collect the entire amount gained by the perpetrator through the fraud. The actual amount of the penalty is determined by the court after weighing several factors including:

  • The good or bad faith of the defendant and the degree of his/her knowledge of wrongdoing;
  • The injury to the public, and whether the defendant’s conduct created substantial loss or the risk of substantial loss to other persons;
  • The egregiousness of the violation;
  • The isolated or repeated nature of the violation;
  • The defendant’s financial condition and ability to pay;
  • The criminal fine that could be levied for this conduct;
  • The amount the defendant sought to profit through his fraud;
  • The penalty range available under FIRREA; and
  • The appropriateness of the amount considering the relevant factors.

The government favors utilizing FIRREA penalties to pursue fraud claims for several reasons. The statute of limitations provided in 12 U.S.C. §1833a(h) is 10 years, which is much longer than most civil statutes of limitations. The standard of proof required to impose penalties is preponderance of the evidence, rather than the higher “beyond a reasonable doubt” standard that must be met in a criminal prosecution.

Checklist for PPP Loan Recipients

A company that applied for COVID relief funds, such as PPP loans, should ensure they satisfy the eligibility requirements for obtaining the loan, confirm false statements were not made during the application, and review the rules set forth by the SBA for applying for PPP. The government has shown it is willing to pursue remedies under the FCA and FIRREA for fraudulent statements made regarding a PPP loan application.

Article By Ronald G. DeWaard, Gary J. Mouw, and Gage M. Selvius of Varnum LLP

For more white collar crime and business fraud legal news, click here to visit the National Law Review.

© 2022 Varnum LLP

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

So You Wanna Play with Copyright? “Joyful Noise” Ostinato Isn’t Original Expression

The US Court of Appeals for the Ninth Circuit affirmed a district court’s order vacating a jury award of damages for copyright infringement and granting judgment as a matter of law, explaining that the musical work alleged to have been copied did not qualify as an original work of authorship but consisted only of “commonplace musical elements.” Marcus Gray PKA Flame et al. v. Katheryn Elizabeth Hudson PKA Katy Perry et al., Case No. 20-55401 (9th Cir. Mar. 10, 2022) (Clifton, Smith, Watford, JJ.)

Key Definitions:

  • A musical scale is a sequence of musical notes or tones by pitch.
  • A subset of seven notes is called the minor scale and can be referred to with alphabetic names (A, B, C, etc.) or scale degrees (1, 2, 3, etc.).
  • An ostinato is a repeating musical figure (for example, 3-3-3-3-2-2).

In 2007, Marcus Gray (Flame) purchased an ostinato and used it in the song “Joyful Noise.” The song was released in 2008. While “Joyful Noise” did not achieve significant commercial success or airtime, it received millions of views online. In 2013, American singer-songwriter Katy Perry created “Dark Horse,” which was a hit, resulting in her performance at the Super Bowl halftime show in 2015.

The “Joyful Noise” ostinato consists of notes, represented as 3-3-3-3-2-2-2-1 and 3-3-3-3-2-2-2-6, whereas Dark Horse’s ostinato contains 3-3-3-3-2-2-1-5. Both have a uniform rhythm and equal note duration in time.

Plaintiffs sued Perry and her co-defendants for copyright infringement. Plaintiffs presented circumstantial evidence that the defendants had a reasonable opportunity to access “Joyful Noise” and that the ostinatos in both songs were substantially similar. Plaintiffs did not present direct evidence that Perry and the others had copied elements of the song, instead relying on testimony from their expert musicologist, Dr. Todd Decker.

Decker testified that the ostinatos were similar in many aspects, but he also testified that there was no single element that caused him to believe the ostinatos at issue were “substantially similar” when viewed “in isolation.” The jury also heard testimony from Perry’s expert, who disagreed altogether that the ostinatos were substantially similar.

The jury found that the defendants had a reasonable opportunity to hear “Joyful Noise” before composing “Dark Horse,” that the two songs contained substantially similar copyrightable expression and that “Dark Horse” used protected material from “Joyful Noise.” The jury found the defendants liable for copyright infringement and awarded $2.8 million in damages. The district court vacated the award and granted judgment as a matter of law to defendants, concluding that the evidence at trial was legally insufficient to show that the “Joyful Noise” ostinato was a copyrightable original expression. The plaintiffs appealed.

The Ninth Circuit explained that because the plaintiffs did not present any direct evidence that the defendants copied the “Joyful Noise” ostinato, they were required to show that the defendants had access to the work and that the ostinatos were substantially similar.

The Ninth Circuit began with its analysis of the “substantially similar” prong, employing a two-part test having “extrinsic” and “intrinsic” components. The Court noted that while it must refrain from usurping the jury’s traditional role of evaluating witness credibility and weighing the evidence, the extrinsic test requires that the Court ensure that the evidence of objective similarities between two works is legally sufficient to serve as the basis of a copyright infringement claim, regardless of the jury’s views. The Court explained that the substantial similarity test focuses on the protectable elements standing alone and disregards non-protectable elements.

To be a protectable element under copyright law, the “Joyful Noise” ostinato had to qualify as “original expression.” Based on the trial record, the Ninth Circuit found that the “Joyful Noise” ostinato consisted entirely of commonplace musical elements, and that the similarities between the two ostinatos did not arise out of an original combination of these elements. Without original expression, no element identified by Flame was individually copyrightable. For example, the Court noted that “the fact that Joyful Noise and Dark Horse both make use of sequences of eight notes played in an even rhythm is a trite musical choice outside the protection of copyright law.”

Finding the evidence presented at trial legally insufficient to establish that the musical elements were individually copyrightable, the Ninth Circuit determined that the jury’s verdict finding defendants liable for copyright infringement was unsupported by substantial evidence. Thus, the Court affirmed the trial court’s grant of judgment as a matter of law.

Article By Jodi Benassi of McDermott Will & Emery

For more intellectual property legal news, click here to visit the National Law Review. 

© 2022 McDermott Will & Emery

Will an Act of War Destroy Your Cyberinsurance Coverage?

Cyberinsurance spurs many complaints from US business. The cost is skyrocketing, retentions (deductibles) are rising quickly, and the insurance companies push their own panel lawyers on customers despite other relationships. Ransomware or email fraud can be excluded from some policies.

But news of significant hacks drives more companies into the cyberinsurance market despite the costs. According to Bloomberg, cyberinsurance prices rose nearly 100% in 2021 and keep climbing. Travelers Insurance, working to justify the leaping costs of its products, lists the following reasons for higher cybersecurity prices: a wave of ransomware, rising breach response costs (from forensic and legal experts to ransom payments and regulatory fines), increasing tech complexity and budgets, inadequate cybersecurity hygiene (which is why better controls can now lead to lower insurance prices), lack of advance response plans, and business interruption expenses. Shutting down business operations may be a way for criminals to force ransom payments, but it also creates an expensive risk reduction system, and all companies are suffering from it.

However, for the price of protection, you would expect your insurance company to pay to remediate a properly-reported cyberattack.  Property insurers have long excluded “acts of war” from insurable damage that would receive payments. Most cyberinsurance policies have similar exclusions. This leads insurance customers to wonder, in a world where hackers and ransomware gangs from Russia and Ukraine initiate a significant percentage of cyberattacks, when would those attacks be considered “acts of war” during a real shooting war? If your company is smacked with ransomware from a Russian crew associated with the Kremlin, will your insurance company exclude the costs from your cyberinsurance policy as an act of war?

Lloyds of London just released a set of new exclusion clauses for addressing cyber war. These clauses are for underwriters to consider placing in Lloyds insurance contracts, and “have been drafted to provide Lloyd’s syndicates and their (re)insureds (and brokers) with options in respect of the level of cover provided for cyber operations between states which are not excluded by the definition of war, cyber war or cyber operations which have a major detrimental impact on a state.” Lloyds specifies that the “act of war” exemption language applies to China, France, Japan, Russia, the U.K and the U.S.  The new clauses supply underwriters with extensive leeway to refuse to pay claims.Importantly, Lloyds can decide that the attack was an act of war even if the attackers do not declare themselves. Pending any government attribution of an attacker, Lloyds can decide through reasonable inference to attribute any attack to state activities, and therefor falling within the “act of war” exclusion.

Property insurers have long excluded “acts of war” from insurable damage that would receive payments. Most cyberinsurance policies have similar exclusions. This leads insurance customers to wonder, in a world where hackers and ransomware gangs from Russia and Ukraine initiate a significant percentage of cyberattacks, when would those attacks be considered “acts of war” during a real shooting war? If your company is smacked with ransomware from a Russian crew associated with the Kremlin, will your insurance company exclude the costs from your cyberinsurance policy as an act of war?

TED CLAYPOOLE

All hope is not lost for businesses relying on cyberinsurance. Courts tend to hold insurers to high standards when trying to avoid paying out claims due to broadly-defined exclusions. For example, earlier this year the Superior Court of New Jersey rules that insurers can’t use a nation-state “act of war” cyber-exclusion to avoid covering more than a billion dollars in damages that Merck claimed it suffered from the NotPetya cyberattack in 2017. According to Insurance Journal, “ The insurers had tried to use the exclusions to avoid paying out, citing the fact the NotPetya malware was attributed to Russia and was meant to be deployed to disrupt and destabilize Ukraine. The malware wound up affecting thousands of companies worldwide. . . The cyber attack also attracted the attention of regulatory scrutiny of so-called “silent cyber” exposure in all policies.” The court “unhesitatingly” ruled that war exclusions did not apply in this instance.

So an attack from Russian hackers in 2021 may be covered under most cyberinsurance policies, but what about an attack in March of 2022? Does the state of hostility between the U.S. and Russian – in which Putin has claimed that sanctions against Russia and providing arms to Ukraine is an act of war – mean that ransomware attacks from the same Russian hackers may be considered acts of war? For example, the Conti ransomware gang has officially announced its full support of the Russian government after the invasion of Ukraine and threatened to use all possible researches to attack both Ukraine and Western countries that might support Ukraine. It would be easy for US critical infrastructure businesses to be direct victims of attacks from Russians supporting the Kremlin, or to be indirect victims of attacks aimed at Ukraine that spread through open networks like NotPetya or other malicious viruses. Where would that leave an affected company if its insurance provider refuses to pay, claiming an “act of war” exclusion?

We simply don’t know many insurance companies will use these policy exclusions and will be allowed to do so by U.S. courts. But each of us should check our cyber insurance policies for exclusions that could be triggered by current international conflicts.

Beyond insurance, international cyberattacks have straddled the line between standard crime and acts of international state hostility. Since the internet connected our world electronically, our societies have not set rules about how public and private actors are allowed to behave toward each other. Brad Smith, the President of Microsoft, has called for a Digital Geneva Convention, so that the nations of the world can agree what acts of electronic aggression are acceptable in war and even which acts should be considered to be acts of war. Maybe the current crisis, where a long-existing state is invaded without provocation, may be the catalyst to discuss digital hostility and set some rules around what kinds of interactions will be tolerated by the international community.

For now, check your cyberinsurance policies.  For posterity, push our politicians to create baseline rules for the digital world.  We have promulgated the law of the sea and the law of space. We should create a law of cyberspace as well.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more articles on cyberinsurance for your workplace, visit the NLR Cybersecurity Media & FCC section.

The Rocky Waters of Absentee Ballots

This Legal Update will help you navigate through those rough waters involving absentee ballots.

Absentee Voting

No election issue seems to be more of a lightning rod over the past year than absentee voting. While voting absentee has always occurred, this alternative voting option has been thrust into the spotlight due to the COVID-19 pandemic and the public scrutiny onslaught since the 2020 Presidential Election.

Wisconsin has been at the forefront of a variety of conflicts over absentee voting. Presently, a lawsuit is pending before the Wisconsin Supreme Court concerning absentee voting and the use of ballot boxes, which are drop boxes some municipalities used to collect absentee ballots throughout the pandemic. In January 2022, a Waukesha County Circuit Court Judge ruled against the use of ballot boxes; however, the Wisconsin Court of Appeals stayed that Judge’s ruling due to the close proximity of the February 15, 2022, election primary. The Wisconsin Supreme Court then took over the case from the Court of Appeals and, on February 11, 2022, issued a temporary decision allowing ballot boxes for the February 15, 2022, primary but not the April 5, 2022 election. Local officials continue to wait for the Wisconsin Supreme Court’s final decision, which hopefully will provide greater legal direction for absentee ballots.

In the meantime, following are FAQs on the fundamentals for absentee voting.

Who is an absentee elector?

An absent elector is a qualified voter, but who is unable or unwilling to appear in person, at the polling place in his or her applicable ward or election district to vote. An individual can choose to vote absentee for any reason.

What are the qualifications for voting absentee?

Most registered Wisconsin voters can vote absentee by mail. The specific qualifications are: (1) be a U.S. citizen, (2) be at least 18 years old, and (3) have resided in their voting district for at least 28 days.

What is an absentee ballot?

An absentee ballot is used by an absent voter to cast their vote. The ballot is printed and sealed in an envelope, that then needs to be mailed or hand-delivered to the municipal clerk. The municipal clerk will ensure that the absentee ballot is received by the proper polling place on election day, as long as the municipal clerk receives the ballot on time. The law provides specific requirements concerning timeframes regarding valid absentee ballots – those details are beyond the scope of this article and it is encouraged to consult with legal counsel for further direction.

Do the same absentee voting rules apply to military and overseas voting?

No. Military and overseas voters have special rules as well as additional options for voting. For instance, they can access their absentee ballot online.

How can a voter request an absentee ballot?

An absentee ballot can be requested in the following ways: by mail, by email, online, by fax, or in person. To find out more specific information to your voting district, you should go to your municipality’s website.

What about the use of drop boxes for an absentee ballot?

There is substantial debate currently regarding the use of ballot drop boxes for absentee ballots. It is strongly encouraged to communicate with legal counsel concerning this issue. However, given the pending Waukesha County Court case referenced above and in consideration of the WEC’s withdrawal of its guidance in that case, the safest approach would be to refrain from using a drop box until further direction from the Wisconsin Supreme Court.

This information is provided as a review of the fundamental requirements when it comes to balloting. Ideally, this information will be available for reference when basic questions or conflicts occur for a quick resolution. Nevertheless, more complicated questions may arise and it is strongly encouraged to reach out to your legal counsel for timely answers as these issues develop.

©2022 von Briesen & Roper, s.c
For more articles about elections, visit the NLR election & Legislative section.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by