CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Coronavirus – Cyber, Privacy & Security’ Category

Pandemic Brings Increase in Ransomware Payments Prompting New Advisories from OFAC and FinCEN on Sanctions Risks

Posted on: October 12th, 2020

By: Caitlin Tubbesing

On October 1st—the first day of National Cybersecurity Awareness Month—the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) warned companies working with victims of ransomware attacks of potential sanctions for facilitating ransomware payments. Ransomware attacks have increased during the COVID-19 pandemic and the resulting shift to remote operations as cyber actors target online systems companies rely on to conduct business. The guidance provides a timely warning to cyber insurers, digital forensics, and financial services institutions that payment of a ransom to a sanctioned jurisdiction or individual may be a violation of OFAC regulations and federal law which could result in sanctions.

As a part of its sanctions program, OFAC has a database of designated malicious cyber actors, including perpetrators of ransomware attacks and facilitators of ransomware transactions, and imposes sanctions on those “who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Pursuant to the International Emergency Economic Powers Act  and the Trading with the Enemy Act, individuals and entities are prohibited from engaging in direct or indirect transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List, in addition to other blocked persons, and those covered by a national or regional embargo. OFAC may impose civil penalties for violating these federal laws irrespective of whether it was known or there was even a reason to know it was engaging in a transaction with a prohibited individual, entity, or jurisdiction.  

The sanctions are intended to target and temper the proliferation of ransomware attack payments, which implicate significant national security concerns. Payments made to sanctioned persons or jurisdictions could be used to fund activities adverse to American interests and policy objectives. Payments may also encourage cyber actors to continue to engage in these attacks. In addition to the national security nexus, OFAC observed that payments are no guarantee that access to stolen data will be restored to the ransomware attack victim.  

Companies working with ransomware attack victims should account for the sanctions risks associated with ransomware payments and implement a risk-based compliance program incorporating the following five components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.  Victims and companies involved in responding to ransomware attacks should also report attacks to OFAC and law enforcement and are encouraged to cooperate with law enforcement before and after the attack. Financial companies responsible for facilitating ransomware payments should determine whether filing a Suspicious Activity Report (SAR) with FinCEN is proper or required.

If you have questions or would like more information, please contact Caitlin Tubbesing at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Does What Happens in Mediation Stay in Mediation?

Posted on: August 14th, 2020

By: Barry Miller

Insurers: Time to review your mediation practices.

As COVID-19 travel restrictions force most mediations online, often with participants in more than one state, insurance carriers must re-examine their assumptions about the process. They need assurance that what happens in mediation stays in mediation and does not become the foundation for a bad faith case. They may even be surprised to find that whether that assurance exists might vary from jurisdiction to jurisdiction.

Standard I of the Model Standards of Conduct for Mediators (published by the American Bar Association with the American Arbitration Association, and the Association for Conflict Resolution) upholds this idea. “Parties may exercise self-determination at any stage of a mediation, including mediator selection, process design, participation in or withdrawal from the process, and outcomes.” (Model Standard I).

And how a carrier exercises that right to determination is also protected by the principle of confidentiality. At least that’s the assumption many carriers make.

It is time to reconsider that belief and the boundaries of confidentiality.

Which law governs confidentiality?

Mediating across state lines is not a new thing. Before COVID-19 mediations sometimes included out-of-state participants by telephone. But what used to be an exception is now becoming the norm. The preference of most courts and mediators to have the parties and representatives in the same location had to change in 2020, if COVID-19 was not to halt mediations altogether. As the number of interstate mediations increases, questions about conflicts of law will arise more often.

There is no uniform mediation privilege applied by the courts of the 50 states. In fact, at least one federal court has found that South Carolina, where it sits, recognizes no such privilege. Other federal courts (such as this one sitting in Pennsylvania) recognize that the privilege exists, but still find that some material disclosed in mediation was discoverable.

In federal courts, the Sixth Circuit recognized a settlement privilege in Goodyear Tire & Rubber Co. v. Chiles Power Supply, Inc., 332 F.3d 976 (6th Cir. 2003). But a number of federal courts reject the idea of a federal settlement privilege, holding that Federal Rule of Evidence 408 marks the full extent of protection for communications during negotiations.

Who owes the duty of confidentiality?

Is it the mediator who must maintain confidentiality? Or the parties? Ideally it should be both.

ABA

Model Standard V.A. requires the mediator to maintain the confidentiality of all information obtained in the mediation, unless otherwise agreed to by the parties or required by law.

But the Model Standards only pertain to the mediator. Confidentiality between parties remains a matter of law or agreement.

So the assumption that what happens at mediation stays at mediation can be dangerous for carriers, especially were a bad faith claim has been made. Like malpractice cases, bad faith claims are examples of “a case about case.” While bad faith claims usually are bifurcated for  trial and discovery purposes, the underlying and bad faith claims often are mediated together. If the bad faith claim does not settle, the question can evidence from mediation can be used in the bad faith claim.

Last year, In Mosley v. Arch Specialty Fire Insurance, The Court of Appeals of Kentucky held that it cannot. The underlying plaintiff alleged that two insurers acted in bad faith because they used the same defense counsel to represent them both at mediation, and also complained that counsel made global offers of settlement. Upholding summary judgment on the bad faith claim, the Court noted that allowing mediation conduct to serve as the basis for a new claim would chill settlement negotiations. Kentucky Rule of Evidence 408 (which mirrors the federal rule) was written to prevent this from happening. In addition, Kentucky’s Model Mediation Rule 12 recognizes that mediation conduct is covered by KRE 408. Because the plaintiff’s sole evidence for bad faith was mediation conduct, the Court of Appeals found that summary judgment was proper, since that evidence was not admissible. The Supreme Court of Kentucky has accepted discretionary review in Mosley; it remains to be seen whether that Court will give mediation the same protection.

How important is confidentiality?

One opinion states the view that most carriers would agree with, when it was asked to set aside a mediated settlement agreement. The  court declined to give that relief that it could only give by concluding that one litigant was unreasonable when it refused to accept an offer to settle. “It would be hard to imagine a procedure better designed to destroy the motivation parties have to engage in the mediation process than to have a judicial office determine how reasonable or unreasonable they were during their mediation and predicate a decision on that determination…. [I]t files in the face of the central judicial policy that settlement discussions be deemed confidential to encourage parties to engage in them.”

But expecting that all courts automatically have and apply this preference would be a mistake. And it is easier to make this mistake to make in a time when most mediations are conducted online.

Participate in Drafting the Mediation Agreement.

Carriers might seek the advice of counsel on conflicts of law issues before engaging in mediation, but it is unlikely that an attorney can give a definitive opinion where so many variables exist: the location of the parties, whether each of those jurisdictions recognizes a mediation privilege, and what the choice of law rules are in each jurisdiction.

The better practice is to control those variables as much as possible by agreement. The first principle of the ABA’s Model Standards is “Self-Determination.” Standard I.A. notes that parties “may exercise self-determination at any state of a mediation, including mediator selection, process design, participation in or withdrawal from the process, and outcomes.” Carriers can use their self-determination to ensure that the mediation properly addresses the use of mediation conduct to preserve their motivation to negotiate by:

  • Determining which of the states who might have an interest recognize a mediation privilege
  • Making sure the mediation agreement includes a choice-of-law provision stating that it will be applied pursuant to the law of one of those states
  • Making sure the mediation agreement imposes upon the parties the contractual obligation to preserve confidentiality.

This will require carriers to obtain the mediator’s standard agreement before the day of mediation so that it can request the insertion of the proper language.

That is an extra step that most carriers and attorneys have not felt the need to take, before now. But it has become a necessary step.

If you have questions or would like more information, please contact Barry Miller at [email protected].

Statute of Limitations Tolled in California Amid Pandemic

Posted on: August 3rd, 2020

By: Matthew Jones

In response to the COVID-19 pandemic, California’s Governor Gavin Newsom issued a “state of emergency” for the entire State. In response, the California Judicial Council adopted several Emergency Rules to implement during the pandemic. In particular, Rule 9 states that all statute of limitations for civil causes of action are tolled from April 6, 2020 until 90 days after the state of emergency related to COVID-19 is lifted by the Governor. Therefore, if a party’s claim would have expired pursuant to the applicable statute of limitations during this timeframe, such claims are still very much alive. In regard to those claims, there is currently no deadline to file them since the “state of emergency” has yet to be lifted by the Governor. Once lifted, claimants will have six months to file their respective claims.

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Microsoft Takes Control of Domains Exploiting COVID-19 Crisis in Phishing Attacks

Posted on: July 17th, 2020

By: Barry Miller

Microsoft now controls several domain names that, according to the company, were used in attempts to get personal information from Microsoft account holders during the COVID-19 crisis.

A Virginia federal court issued a temporary restraining order July 7, finding good cause to believe that two John Doe defendants would likely violate federal law by using the domain names in phishing attacks. That order directed the registries to give Microsoft control over the hosting and administration of the offending internet domains.

The Court also unsealed Microsoft’s complaint. It alleges that the John Doe Defendants registered the domains such as “OfficeInventorys.com,” and “OfficeSuiteSoft.com,” using them to send emails “designed to look like they come from an employer or other trusted source.”

Links in those emails, if clicked, would lead the victim to servers hosting malicious web applications that interacted with Office 365 services. Those applications granted the criminals access to Office 365 accounts holding “email, contacts, notes and material stored in the victims’ One Drive for Business” or SharePoint, according to the complaint.

Microsoft’s Digital Crimes Unit began investigating these criminals in December 2019, according to a blog post from Tom Burt, Corporate Vice President, Customer Security and Trust. It blocked their activity but continued to monitor them. “Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19 related lures in the phishing emails to target victims,” Mr. Burt’s post stated.

His post cited the FBI’s 2019 Internet Crime Report stating business email compromise attacks (BECs) are the most expensive complaints the Internet Crime Complaint Center receives. The FBI attributed losses exceeding $1.7 billion to BECs.

Mr. Burt pledged that Microsoft would continue to investigate and disrupt cybercriminals, but reminded users that cyber threats continue to evolve, making it “more important than ever to remain vigilant against cyber attacks.”

If you have questions or would like more information, please contact Barry Miller at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

FINRA Issues Guidance on Remote Work Including Continued Warning for Cyber Threats

Posted on: June 15th, 2020

By: Kathleen Cusack and Kirsten Patzer

Although all 50 states have begun the process of reopening, business spaces have not yet returned to full capacity and many people continue to work remotely.  On May 28, 2020, the Financial Industry Regulatory Authority (FINRA) issued new guidance for working from home based on surveys of financial firms. 

One such piece of guidance is a continued reminder to be vigilant with confidentiality requirements and cybersecurity concerns.  FINRA suggests reminding associated persons of confidentiality requirements, including maintaining a private workspace while working from home and taking extra precautions when working near family or friends.  FINRA also recommends that financial businesses remind and train staff about cybersecurity vulnerabilities and potential fraud risks. 

Since 2015, FINRA has released multiple reports and notices aimed at informing financial professionals about cyber risks and best practices.  The mass shift to remote work has not only resulted in a dramatic increase in the use of personal devices for the completion of work, but has also prompted a sizable increase in cyber threats to individuals and businesses.  According to a study discussed in Forbes, cyber threats increased by about a third between January and March of this year. 

One of the most common types of cyber scams is phishing.  Phishing schemes attempt to entice users to provide sensitive information to people pretending to be a trustworthy person.  To protect against phishing scams, FINRA recommends that businesses employ a combination of technological tools and regular training for employees to identify scams. Financial advisors and other associated persons are reminded to not accept trade instructions, withdrawal requests, or third-party transfers via electronic mail. If such a request is received, the advisor should contact their client via telephone to verify and confirm the instruction.   

FINRA has also cautioned against increased cybersecurity risks with the use of mobile devices.  FINRA warns that compared to in-office devices, mobile devices face a higher risk of theft or exposure to the installation of malicious applications.  

If you have questions or would like more information, please contact Kirsten Patzer at [email protected] or Kathleen Cusack at [email protected]

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**