Tag: Technology

Cryptocurrency As Compensation: Beware Of The Risks

A small but growing number of employees are asking for cryptocurrency as a form of compensation.  Whether a substitute for wages or as part of an incentive package, offering cryptocurrency as compensation has become a way for some companies to differentiate themselves from others.  In a competitive labor market, this desire to provide innovative forms of compensation is understandable.  But any company thinking about cryptocurrency needs to be aware of the risks involved, including regulatory uncertainties and market volatility.

Form of Payment – Cash or Negotiable Instrument

The federal Fair Labor Standards Act requires employers to pay minimum and overtime wages in “cash or negotiable instrument payable at par.”  This has long been interpreted to include only fiat currencies—monies backed by a governmental authority.  As non-fiat currencies, cryptocurrencies therefore fall outside the FLSA’s definition of “cash or negotiable instrument.”  As a result, an employer who chooses to pay minimum and/or overtime wages in cryptocurrency may violate the FLSA by failing to pay workers with an accepted form of compensation.

In addition, various state laws make the form of wage payment question even more difficult.  For example, Maryland requires payment in United States currency or by check that “on demand is convertible at face value into United States currency.”  Pennsylvania requires that wages shall be made in “lawful money of the United States or check.”  And California prohibits compensation that is made through “coupon, cards or other thing[s] redeemable…otherwise than in money.”  It is largely unclear whether payment in cryptocurrency runs afoul of these state requirements.

Of note, the U.S. Department of Labor (“DOL”) allows employers to satisfy FLSA minimum wage and overtime regulations with foreign currencies as long as the conversion to U.S. dollars meets the required wage thresholds.  But neither the DOL nor courts have weighed in on whether certain cryptocurrencies (e.g., Bitcoin) are the equivalent, for FLSA purposes, of a foreign currency.

Volatility Concerns

When compared to the rather stable value of the U.S. dollar, the value of cryptocurrencies is subject to large fluctuations.  Bitcoin, for example, lost nearly 83% of its value in May 2013, approximately 50% of its value in March 2020, and recently lost and then gained 16% of its value in the span of approximately 15 minutes one day in February 2021.

Such volatility can give payroll vendors a nightmare and can, in some instances, lead to the under-payment of wages or violation of minimum wage or overtime requirements under the FLSA.

Tax and Benefits Considerations

Aside from wage and hour issues, the payment of cryptocurrency implicates a host of tax and benefits-related issues.  The IRS considers virtual currencies to be “property,” subject to capital gains tax rates.  It has also confirmed in guidance materials that any payment to employees in a virtual currency must be reported on a W-2 based upon the value of the currency in U.S. dollars at the time it was delivered to the employee.  This means that cryptocurrency wage payments are subject to Federal income tax withholding, Federal Insurance Contributions Act (FICA) tax, and Federal Unemployment Tax Act (FUTA) tax.

For 401k plan fiduciaries, the Department of Labor recently issued guidance that should serve as a stern warning to any fiduciary looking to invest 401k funds into cryptocurrencies.  Specifically, the DOL wrote: “[a]t this early stage in the history of cryptocurrencies, the Department has serious concerns about the prudence of a fiduciary’s decision to expose a 401(k) plan’s participants to direct investments in cryptocurrencies, or other products whose value is tied to cryptocurrencies.”  Given the risks inherent in cryptocurrency speculation, the DOL stated that any fiduciary allowing such investment options “should expect to be questioned [by the DOL] about how they can square their actions with their duties of prudence and loyalty in light of the risks.”

Considerations for Employers

Given the combination of uncertain and untested legal risks, employers should consider limiting cryptocurrency compensation models to payments that do not implicate the FLSA or applicable state wage and hour laws.  For example, an employer might provide an exempt employee’s base salary in U.S. dollars and any annual discretionary bonus in cryptocurrency.

Whether investing in cryptocurrencies themselves to pay employees or utilizing a third-party to convert US dollars into cryptocurrency, employers should also stay abreast of the evolving tax and benefits guidance in this area.

Ultimately, the only thing that is clear about cryptocurrency compensation is that any decision to provide such compensation to employees should be made with a careful eye towards the unique wage, tax, and benefits-related issues implicated by these transactions.

Article By Daniel J. Butler and Kevin J. White of Hunton Andrews Kurth

For more cryptocurrency and finance legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Apple Smartwatch Antitrust Case Survives, Showing ‘Freedom of Design’ is Not Absolute

Judge Cites ‘Associated’ Anticompetitive Conduct Claims

It’s a case that challenges the limits of the “freedom of design” usually enjoyed by companies accused of product design changes alleged to harm competition. Ordinarily, a design change is not the kind of conduct that runs afoul of the antitrust laws, but on March 21, U.S. Judge Jeffrey S. White from the Northern District of California denied Apple Inc.’s motion to dismiss an antitrust case brought against it by AliveCor Inc. The suit alleges that Apple unlawfully maintained its monopoly in the market for heart rate analysis apps by updating WatchOS, the Apple Watch operating system on which AliveCor’s heart rate analysis app runs. (AliveCor, Inc. v. Apple Inc., No. 21-cv-03958-JSW, N.D. Calif.).

Heart rate analysis apps analyze the user’s heart rate in real time using a sensor close to the user’s wrist and determine whether the user’s heart rate is normal or irregular. The app runs constantly while the device is worn and alerts the user when a situation arises requiring an ECG recording and medical analysis. AliveCor also sells an electrocardiogram-capable wrist band for the Apple Watch and related WatchOS software that analyzes reading from the band. AliveCor claims that its products—the ECG-wristband hardware and software and its heart rate analysis app—“helped change the perception of the Apple Watch from an accessory to a personal health monitoring tool.”

AliveCor calls its heart rate monitoring app “SmartRhythm.” According to AliveCor, when sales of SmartRhythm took off Apple was inspired to announce an update to WatchOS with its own heart monitoring app designed to exclude AliveCor from the U.S. market for WatchOS heart rate analysis apps.

SmartRhythm works by using data from the Apple Watch’s heart rate algorithm. According to the complaint, Apple’s update to WatchOS altered the heart rate algorithm in a way that prevents third-party developers from being able to detect heart rate fluctuations and irregularities. As a result of these changes, SmartRhythm could not provide accurate heart rate analysis, and AliveCor removed it from the market.

Consequently, Apple is a monopolist in the WatchOS heart rate analysis app market, which AliveCor claims Apple is maintaining with exclusionary design changes to WatchOS, in violation of Section 2 of the Sherman Act, California’s Unfair Competition Law, and Section 17200 of California Business and Professions Code.

The court denied Apple’s motion to dismiss AliveCor’s monopolization claim in what it characterized as the “[single brand] aftermarket for WatchOS apps.” Applying the factors enumerated by the court in Newcal Indus., Inc. v. Ikon Office Sol., 513 F.3d 1038, 1044 (9th Cir. 2008), the court found that the WatchOS app aftermarket was wholly derivative from the primary smartwatch market, the alleged restraint applied only to the aftermarket, Apple’s aftermarket power was not obtained through contract terms reached in the primary market, and that competition in the smartwatch market does not discipline anticompetitive practices in the WatchOS app aftermarket. Accordingly, the court ruled that AliveCor’s market definition met the Newcal standards for a “single product” relevant market.

Apple argued that a company that improves a product to the benefit of consumers does not violate antitrust laws “absent some associated anticompetitive conduct,” citing the leading “freedom of design” case of Allied Orthopedic Appliances Inc. v. Tyco Health Care Group LP, 592 F.3d 991, 998-99 (9th Cir. 2010). The court quoted the holding of Allied: “If a monopolist’s design change is an improvement, it is necessarily tolerated by the antitrust laws, unless the monopolist abuses or leverages its monopoly power in some other way when introducing the product.”

Apple argued that its update to WatchOS was purely a design change that benefitted users, with no associated anticompetitive conduct. It observed that AliveCor hadn’t established that consumers use Apple’s app instead of some third-party app, or that Apple rejected any third-party apps, or that no other third-party heart apps are available to Apple Watch users. But the court rejected those arguments, noting that Apple failed to provide any legal authority that would require such allegations.

Apple ignored AliveCor’s allegations that Apple abused or leveraged its monopoly power “in some other way” by changing its heart rate algorithm to make it effectively impossible for third parties to inform a user when to take an ECG. AliveCor contended that Apple’s updated heart rate algorithm, which was pushed out to all earlier Apple Watch models, did not improve user experience. Its purpose was to prevent third parties from identifying irregular heart rates and offering competing apps based on that data. “These allegations present the type of ‘associated conduct’ that makes product design changes cognizable under antitrust law. Plaintiff’s allegations plausibly establish that Apple’s conduct was anticompetitive,” Judge White held. A case management conference set for May 20.

Commentary

It is truly difficult to see how some separate, “associated” conduct by Apple other than its design change to WatchOS violates Section 2. It seems more straightforward to consider the design change itself to be a cognizable anticompetitive act. It may be time to drop the fiction maintained in Allied v. Tyco that design changes are “never” antitrust violations unless accompanied by some “other” conduct. Here, Apple has created the market itself in the form of an OS platform used by millions of consumers who depend on it to access all manner of competing complementary products. Under those circumstances, it should be uncontroversial to hold a platform operator liable under the antitrust laws for design changes that exclude competitors or foreclose participants from the market, without indulging in the fiction of “associated” conduct.

Article By Jonathan Rubin of MoginRubin

For more antitrust legal news, click here to visit the National Law Review.

© MoginRubin LLP

WW International to Pay $1.5 Million Civil Penalty for Alleged COPPA Violations

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Article By Sheila A. Millar and Tracy P. Marshall of Keller and Heckman LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© 2022 Keller and Heckman LLP

Fitness App Agrees to Pay $56 Million to Settle Class Action Alleging Dark Pattern Practices

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

The suit was filed in May 2020 when a group of Noom users alleged that Noom “actively misrepresents and/or fails to accurately disclose the true characteristics of its trial period, its automatic enrollment policy, and the actual steps customer need to follow in attempting to cancel a 14-day trial and avoid automatic enrollment.” More specifically, users alleged that Noom engaged in an unlawful auto-renewal subscription business model by luring customers in with the opportunity to “try” its programs, then imposing significant barriers to the cancellation process (e.g., only allowing customers to cancel their subscriptions through their virtual coach), resulting in the customers paying a nonrefundable advance lump-sum payment for up to eight (8) months at a time. According to the proposed settlement, Noom will have to substantially enhance its auto-renewal disclosures, as well as require customers to take a separate action (e.g., check box or digital signature) to accept auto-renewal, and provide customers a button on the customer’s account page for easier cancellation.

Regulators at the federal and state level have recently made clear their focus on enforcement actions against “dark patterns.” We previously summarized the FTC’s enforcement policy statement from October 2021 warning companies against using dark patterns that trick consumers into subscription services. More recently, several state attorneys general (e.g., in Indiana, Texas, the District of Columbia, and Washington State) made announcements regarding their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data.

Article By: Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.
 
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

New Poll Underscores Growing Support for National Data Privacy Legislation

Over half of all Americans would support a federal data privacy law, according to a recent poll from Politico and Morning Consult. The poll found that 56 percent of registered voters would either strongly or somewhat support a proposal to “make it illegal for social media companies to use personal data to recommend content via algorithms.” Democrats were most likely to support the proposal at 62 percent, compared to 54 percent of Republicans and 50 percent of Independents. Still, the numbers may show that bipartisan action is possible.

The poll is indicative of American’s increasing data privacy awareness and concerns. Colorado, Virginia, and California all passed or updated data privacy laws within the last year, and nearly every state is considering similar legislation. Additionally, Congress held several high-profile hearings last year soliciting testimony from several tech industry leaders and whistleblower Frances Haugen. In the private sector, Meta CEO Mark Zuckerberg has come out in favor of a national data privacy standard similar to the EU’s General Data Protection Regulation (GDPR).

Politico and Morning Consult released the poll results days after Senator Ron Wyden (D-OR) accepted a 24,000-signature petition calling for Congress to pass a federal data protection law. Senator Wyden, who recently introduced his own data privacy proposal called the “Mind Your Own Business Act,” said it was “past time” for Congress to act.

He may be right: U.S./EU data flows have been on borrowed time since 2020. The GDPR prohibits data flows from the EU to countries with inadequate data protection laws, including the United States. The U.S. Privacy Shield regulations allowed the United States to circumvent the rule, but an EU court invalidated the agreement in 2020, and data flows between the US and the EU have been in legal limbo ever since. Eventually, Congress and the EU will need to address the situation and a federal data protection law would be a long-term solution.

This post was authored by C. Blair Robinson, legal intern at Robinson+Cole. Blair is not yet admitted to practice law. Click here to read more about the Data Privacy and Cybersecurity practice at Robinson & Cole LLP.

For more data privacy and cybersecurity news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Patch Up – Log4j and How to Avoid a Cybercrime Christmas

A vulnerability so dangerous that Cybersecurity and Infrastructure (CISA) Director Jen Easterly called it “one of the most serious [she’s] seen in [her] entire career, if not the most serious” arrived just in time for the holidays. On December 10, 2021, CISA and the director of cybersecurity at the National Security Agency (NSA) began alerting the public of a critical vulnerability within the Apache Log4j Java logging framework. Civilian government agencies have been instructed to mitigate against the vulnerability by Christmas Eve, and companies should follow suit.

The Log4j vulnerability allows threat actors to remotely execute code both on-premises and within cloud-based application servers, thereby obtaining control of the impacted servers. CISA expects the vulnerability to affect hundreds of millions of devices. This is a widespread critical vulnerability and companies should quickly assess whether, and to what extent, they or their service providers are using Log4j.

Immediate Recommendations

  • Immediately upgrade all versions of Apache Log4j to 2.15.0.
  • Ask your service providers whether their products or environment use Log4j, and if so, whether they have patched to the latest version. Helpfully, CISA sponsors a community-sourced GitHub repository with a list of software related to the vulnerability as a reference guide.
  • Confirm your security operations are monitoring internet-facing systems for indicators of compromise.
  • Review your incident response plan and ensure all response team information is up to date.
  • If your company is involved in an acquisition, discuss the security steps taken within the target company to address the Log4j vulnerability.

The versatility of this vulnerability has already attracted the attention of malicious nation-state actors. For example, government-affiliated cybercriminals in Iran and China have a “wish list” (no holiday pun intended) of entities that they are aggressively targeting with the Log4j vulnerability. Due to this malicious nation-state activity, if your company experiences a ransomware attack related to the Log4j vulnerability, it is particularly important to pay attention to potential sanctions-related issues.

Companies with additional questions about the Log4j vulnerability and its potential impact on technical threats and potential regulatory scrutiny or commercial liability are encouraged to contact counsel.

Article By Philip J. Bezanson, Brittney E. Justice, Claire E. Cahoon, and Seth D. DuCharme of Bracewell LLP

For more cybersecurity legal news, click here to visit the National Law Review.

© 2021 Bracewell LLP

Continuing Effort to Protect National Security Data and Networks

CMMC 2.0 – Simplification and Flexibility of DoD Cybersecurity Requirements

Evolving and increasing threats to U.S. defense data and national security networks have necessitated changes and refinements to U.S. regulatory requirements intended to protect such.

In 2016, the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARs) intended to better protect defense data and networks. In 2017, DoD began issuing a series of memoranda to further enhance protection of defense data and networks via Cybersecurity Maturity Model Certification (CMMC). In December 2019, the Department of State, Directorate of Defense Trade Controls (DDTC) issued long-awaited guidance in part governing the minimum encryption requirements for storage, transport and/or transmission of controlled but unclassified information (CUI) and technical defense information (TDI) otherwise restricted by ITAR.

DFARs initiated the government’s efforts to protect national security data and networks by implementing specific NIST cyber requirements for all DoD contractors with access to CUI, TDI or a DoD network. DFARs was self-compliant in nature.

CMMC provided a broad framework to enhance cybersecurity protection for the Defense Industrial Base (DIB). CMMC proposed a verification program to ensure that NIST-compliant cybersecurity protections were in place to protect CUI and TDI that reside on DoD and DoD contractors’ networks. Unlike DFARs, CMMC initially required certification of compliance by an independent cybersecurity expert.

The DoD has announced an updated cybersecurity framework, referred to as CMMC 2.0. The announcement comes after a months-long internal review of the proposed CMMC framework. It still could take nine to 24 months for the final rule to take shape. But for now, CMMC 2.0 promises to be simpler to understand and easier to comply with.

Three Goals of CMMC 2.0

Broadly, CMMC 2.0 is similar to the earlier-proposed framework. Familiar elements include a tiered model, required assessments, and contractual implementation. But the new framework is intended to facilitate three goals identified by DoD’s internal review.

  • Simplify the CMMC standard and provide additional clarity on cybersecurity regulations, policy, and contracting requirements.
  • Focus on the most advanced cybersecurity standards and third-party assessment requirements for companies supporting the highest priority programs.
  • Increase DoD oversight of professional and ethical standards in the assessment ecosystem.

Key Changes under CMMC 2.0

The most impactful changes of CMMC 2.0 are

  • A reduction from five to three security levels.
  • Reduced requirements for third-party certifications.
  • Allowances for plans of actions and milestones (POA&Ms).

CMMC 2.0 has only three levels of cybersecurity

An innovative feature of CMMC 1.0 had been the five-tiered model that tailored a contractor’s cybersecurity requirements according to the type and sensitivity of the information it would handle. CMMC 2.0 keeps this model, but eliminates the two “transitional” levels in order to reduce the total number of security levels to three. This change also makes it easier to predict which level will apply to a given contractor. At this time, it appears that:

  • Level 1 (Foundational) will apply to federal contract information (FCI) and will be similar to the old first level;
  • Level 2 (Advanced) will apply to controlled unclassified information (CUI) and will mirror NIST SP 800-171 (similar to, but simpler than, the old third level); and
  • Level 3 (Expert) will apply to more sensitive CUI and will be partly based on NIST SP 800-172 (possibly similar to the old fifth level).

Significantly, CMMC 2.0 focuses on cybersecurity practices, eliminating the few so-called “maturity processes” that had baffled many DoD contractors.

CMMC 2.0 relieves many certification requirements

Another feature of CMMC 1.0 had been the requirement that all DoD contractors undergo third-party assessment and certification. CMMC 2.0 is much less ambitious and allows Level 1 contractors — and even a subset of Level 2 contractors — to conduct only an annual self-assessment. It is worth noting that a subset of Level 2 contractors — those having “critical national security information” — will still be required to seek triennial third-party certification.

CMMC 2.0 reinstitutes POA&Ms

An initial objective of CMMC 1.0 had been that — by October 2025 — contractual requirements would be fully implemented by DoD contractors. There was no option for partial compliance. CMMC 2.0 reinstitutes a regime that will be familiar to many, by allowing for submission of Plans of Actions and Milestones (POA&Ms). The DoD still intends to specify a baseline number of non-negotiable requirements. But a remaining subset will be addressable by a POA&M with clearly defined timelines. The announced framework even contemplates waivers “to exclude CMMC requirements from acquisitions for select mission-critical requirements.”

Operational takeaways for the defense industrial base

For many DoD contractors, CMMC 2.0 will not significantly impact their required cybersecurity practices — for FCI, focus on basic cyber hygiene; and for CUI, focus on NIST SP 800-171. But the new CMMC 2.0 framework dramatically reduces the number of DoD contractors that will need third-party assessments. It could also allow contractors to delay full compliance through the use of POA&Ms beyond 2025.

Increased Risk of Enforcement

Regardless of the proposed simplicity and flexibility of CMMC 2.0, DoD contractors need to remain vigilant to meet their respective CMMC 2.0 level cybersecurity obligations.

Immediately preceding the CMMC 2.0 announcement, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative on October 6 to combat emerging cyber threats to the security of sensitive information and critical systems. In its announcement, the DOJ advised that it would pursue government contractors who fail to follow required cybersecurity standards.

As Bradley has previously reported in more detail, the DOJ plans to utilize the False Claims Act to pursue cybersecurity-related fraud by government contractors or involving government programs, where entities or individuals, put U.S. information or systems at risk by knowingly:

  • Providing deficient cybersecurity products or services
  • Misrepresenting their cybersecurity practices or protocols, or
  • Violating obligations to monitor and report cybersecurity incidents and breaches.

The DOJ also expressed their intent to work closely on the initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government.

As a result, while CMMC 2.0 will provide some simplicity and flexibility in implementation and operations, U.S. government contractors need to be mindful of their cybersecurity obligations to avoid new heightened enforcement risks.

© 2021 Bradley Arant Boult Cummings LLP
For more articles about cybersecurity, visit the NLR Cybersecurity, Media & FCC section.

Are Tech Workers Considering Unionizing In The Wake Of COVID-19?

Big tech companies by and large have remained union-free over the years unlike their peers in other industries such as retail and manufacturing. However, earlier this year – and before the COVID-19 pandemic upended workplaces across America – unions scored their first major organizing victory in the tech sector when employees at Kickstarter voted to form a union. According to at least one recent report, more tech company workers may soon be following suit.

The Teamsters, Communications Workers of America, and the Office and Professional Employees International Union all reported an uptick in inquiries from non-union employees about prospects of unionizing the companies they work for, including in the tech and gig economy sectors. One of the reasons cited by these workers was a feeling that not enough is being done to protect employees against the spread of COVID-19, particularly those who work in e-commerce fulfillment centers or drive for ride-sharing apps. There also was concern by employees who were, at least at one point, denied remote work arrangements when they believed their jobs were suited for such an arrangement.

It remains to be seen whether organized labor will be able to augment its numbers based on these workers’ concerns. Several things may complicate any such efforts, including unprecedented layoffs and an almost singular focus by people across the nation on the ongoing pandemic itself.

To the extent unions try to capitalize on the unrest, there are many reasons employers facing organizing attempts should be concerned. For example, one of the most effective tools a company can consider to stave off a unionization attempt are large, all-employee meetings where leaders of the organization communicate directly to the workforce why forming a union isn’t in the company’s or employees’ best interests. In an era where social distancing is a necessity, such meeting – at least in-person – likely won’t be a viable option. In addition, mail-in ballot union elections may become the standard as long as social distancing requirements remain in effect, which are less preferred than live secret-ballot voting booths.

Accordingly, employers desiring to remain union-free should give thought to what talking points, materials, and strategies – as well as communications channels – they have available to them now around this issue. Waiting to do so until after a union petition hits may place them at a significant disadvantage.

© 2020 BARNES & THORNBURG LLP

For more industries impacted by COVID-19, see the National Law Review Coronavirus News section.

Union Launches National Organizing Effort in Gaming and Tech Industries

The Communications Workers of America (CWA) has begun a nationwide union-organizing campaign targeting game and tech industry employees, in partnership with Game Workers Unite! (GWU), a so-called “grass-roots” worker group founded in Southern California in 2018 to spur unionization in the gaming industry. As here, such groups typically are founded and funded by established labor organizations.

The idea for the organizing effort is the result of discussions between the CWA and GWU over the past months. In addition, CWA Canada is partnering with the GWU chapter in Toronto. The CWA has used similar partnerships with other activist groups, most recently teaming up with the Committee for Better Banks to attempt to organize banking sector employees.

Organizing is being spearheaded by Emma Kinema, a co-founder of GWU, and Wes McEnany, a former organizer with the Service Employees International Union and leader of the “Fight for 15” effort. Kinema will lead the organizing on the West Coast, McEnany will focus on the East Coast. Organizers from CWA locals across the country will populate the teams. According to Kinema, the issues on which the union will focus are: “crunch,” or long hours for weeks or months to meet launch deadlines; cyclical layoffs; harassment; misogyny; gender-based pay discrimination; values and ethical issues, such as working with Immigration and Customs Enforcement (ICE); climate change; AI ethics; and pay, severance, and benefits. According to Tom Smith, CWA’s lead organizer, “For a lot of folks, that’s what led them to do this work in the first place, and people are feeling a disconnect between their personal values and what they’re seeing every day in the working lives.”

With the moniker CODE – Campaign to Organize Digital Employees – the ambitious initiative seeks to organize employees across the industry, typically at individual shops or employers. According to Kinema, “We believe workers are strongest when they’re together in one shop in one union, so the disciplines can’t be pitted against each other – none of that’s good for the workers. I think in games and tech, the wall-to-wall industrial model is the best fit.” Smith said the CWA would be open to craft-based organizing – where the focus is industry-wide bargaining units composed of employees performing similar work at different employers – if that is what employees want. In an industry where workers frequently move from employer to employer, portable benefits can be attractive.

An annual survey by the International Game Developers Association, an industry group, found that gaming worker interest in unions had increased to 47 percent by 2019. Indeed, a representation petition is pending at the Brooklyn office of the National Labor Relations Board on behalf of the employees at a gaming company. About 220,000 employees work in the two-billion-dollar gaming industry.

The union has established a website — www.code-cwa.org – as well as a presence on other social media platforms such as Facebook and Twitter.

As most union organizing is based on the presence in the workplace of unresolved employee issues, a comprehensive analysis of such matters may be valuable to employer. Also, supervisors and managers often interact frequently with employees when organizing is afoot or underway. Training regarding their rights and responsibilities under the labor laws often is essential.

Jackson Lewis P.C. © 2020

For more on unionizing news, see the National Law Review Labor & Employment law page.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.