CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Central Bank Digital Currency: Oxymoron or Near Reality?

Posted on: October 22nd, 2020

By: Peter Dooley

In a sharp change of course and softening of rhetoric, Federal Reserve Chair Jerome Powell gave a speech on Monday, October 19th at the International Monetary Fund’s Annual Meeting in which he left the door open to the creation of a digital currency backed by the central bank in the near future. The idea of a central bank digital currency, which has been given the catchy abbreviation CBDC, is not a novel idea, but the consistent reluctance of the U.S. Federal Reserve to wade more than ankle-deep into the world of digital currencies makes Powell’s comment particularly noteworthy. The Federal Reserve’s prior hesitancy has quickly given way to comments about “carefully and thoughtfully evaluating the potential costs and benefits of a central bank digital currency for the U.S. economy and payments system.”

This movement towards further exploration of digital currencies is not just a policy stance change for the Federal Reserve, but it also feels odd due to the origin of digital currency and the underlying blockchain technology. A digital currency backed by the U.S. government is a far cry from the origins of blockchain, Bitcoin, and the de-centralized unregulated wild-west conditions that birthed most cryptocurrencies around today. Regardless of the loss of outlaw appeal, the potential benefits that a centralized digital currency could bring in terms of speed of international payments, increases in efficiency of record storage and verification, and the general increase in cyber-security and privacy for which blockchain and digital currencies may be too advantageous for governments to pass up.

The U.S. is not alone in its efforts either as nations such as Canada, Sweden, China, and Japan are already in the experimentation phase with their own government back digital currencies. Despite the newfound love for digital currencies, the Federal Reserve continues to make it clear that a potential digital currency would not be “a replacement for cash, and current private-sector digital forms of the dollar, such as commercial bank money.” Experimentation will be important, but a larger source of delay is likely to be in drafting the extensive regulations surrounding the digital currency while simultaneously assuring that these regulations and payment processes are consistent with International Monetary Fund agreements and other international frameworks and treaties.

A U.S. CBDC is in no way a sure thing, but these statements showing interest and experimentation with the likes of MIT give reason to believe that the Federal Reserve is seriously warming up to digital currencies. In addition, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) recently decided to further regulate and place sanctions on payments of malware ransoms through digital currencies and this move further illustrates the federal government’s new desire to stake its claim in this sector. These first of their kind sanctions are explained in detail in the recent blog post of Caitlin Tubbesing. While it’s also not likely that we will have one of the first CBDC’s in circulation, the Federal Reserve’s shifting tone lends further credence to the idea and provides reason for optimism in wide-scale implementation of blockchain and digital currencies on a national level in the not too distant future.  

As governments and businesses continue to increase involvement in the sector of blockchain and digital currencies, it is important to stay up-to-date and vigilant for any ways this could affect your company’s cyber-security and policies and procedure in general.

If you have questions or would like more information, please contact Peter Dooley at [email protected].

Eleventh Circuit Rejects Class Action Representative’s Incentive Award

Posted on: October 12th, 2020

By: Matthew Foree

The Court of Appeals for the Eleventh Circuit recently confronted the issue of incentive awards commonly given to class representatives as part of class-wide settlements. The court held in Johnson v. NPAS Sols., LLC, which can be found here, that such an award was inappropriate. 

Plaintiff Charles T. Johnson filed the underlying case as a Telephone Consumer Protection Act (“TCPA”) class action. The case proceeded to the settlement phase during which Johnson moved to certify the class for settlement purposes. The trial court preliminarily approved the settlement and certified the class. The court also appointed Johnson as the class representative and permitted him to petition the Court to receive an amount not to exceed $6,000 as an incentive award to acknowledge his role in prosecuting the case on behalf of the class members. Such awards are common in the class action context. 

After the class members were notified of the settlement, only one class member, Jenna Dickenson, objected to the settlement. This class member, the appellant in the Eleventh Circuit case, objected to the settlement on various grounds, including that the incentive award contravened U.S. Supreme Court precedent and created a conflict of interest between Johnson and the other class members. The trial court overruled the objection and approved the settlement. Dickenson filed the present appeal.

In reviewing the issue, the Eleventh Circuit considered Dickenson’s argument that the trial court’s approval of the incentive award contravened Supreme Court precedent. The court considered the two cases that Dickenson relied on, both of which were decided in the late 1800s.  See Trustees v. Greenough¸105 U.S. 527 (1882) and Central Railroad & Banking Co. v. Pettus, 113 U.S. 116 (1885). The Eleventh Circuit determined that Greenough and Pettus established limits on the types of awards that attorneys and litigants can recover. Specifically, the Eleventh Circuit determined that Greenough and Pettus provide a rule that a “plaintiff suing on behalf of a class can be reimbursed for attorneys’ fees and expenses incurred in carrying on the litigation, but he cannot be paid a salary or be reimbursed for his personal expenses.” The court analogized an incentive award for a class representative to a salary for “personal services” prohibited by the Supreme Court. Interestingly, the court stated that modern-day incentive awards present more pronounced risks than salary and expense reimbursements, as they not only “compensate class representatives for their time (i.e., as a salary), but also to promote litigation by providing a prize to be won (i.e., as a bounty).” Accordingly, the court reversed the lower court’s approval of the incentive award.

The Eleventh Circuit’s decision in Johnson comes as somewhat of a surprise, given the proliferation of incentive awards in the TCPA class action context. It remains to be seen how broadly this case will be interpreted and whether other courts will use this reasoning to prevent such awards. It also remains to be seen how this will affect the “incentive” for individuals to serve as class representatives, at least in cases in the Eleventh Circuit.

If you have questions or would like more information, please contact Matthew Foree at [email protected].

Pandemic Brings Increase in Ransomware Payments Prompting New Advisories from OFAC and FinCEN on Sanctions Risks

Posted on: October 12th, 2020

By: Caitlin Tubbesing

On October 1st—the first day of National Cybersecurity Awareness Month—the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) warned companies working with victims of ransomware attacks of potential sanctions for facilitating ransomware payments. Ransomware attacks have increased during the COVID-19 pandemic and the resulting shift to remote operations as cyber actors target online systems companies rely on to conduct business. The guidance provides a timely warning to cyber insurers, digital forensics, and financial services institutions that payment of a ransom to a sanctioned jurisdiction or individual may be a violation of OFAC regulations and federal law which could result in sanctions.

As a part of its sanctions program, OFAC has a database of designated malicious cyber actors, including perpetrators of ransomware attacks and facilitators of ransomware transactions, and imposes sanctions on those “who materially assist, sponsor, or provide financial, material, or technological support for these activities.” Pursuant to the International Emergency Economic Powers Act  and the Trading with the Enemy Act, individuals and entities are prohibited from engaging in direct or indirect transactions with those on OFAC’s Specially Designated Nationals and Blocked Persons List, in addition to other blocked persons, and those covered by a national or regional embargo. OFAC may impose civil penalties for violating these federal laws irrespective of whether it was known or there was even a reason to know it was engaging in a transaction with a prohibited individual, entity, or jurisdiction.  

The sanctions are intended to target and temper the proliferation of ransomware attack payments, which implicate significant national security concerns. Payments made to sanctioned persons or jurisdictions could be used to fund activities adverse to American interests and policy objectives. Payments may also encourage cyber actors to continue to engage in these attacks. In addition to the national security nexus, OFAC observed that payments are no guarantee that access to stolen data will be restored to the ransomware attack victim.  

Companies working with ransomware attack victims should account for the sanctions risks associated with ransomware payments and implement a risk-based compliance program incorporating the following five components: (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training.  Victims and companies involved in responding to ransomware attacks should also report attacks to OFAC and law enforcement and are encouraged to cooperate with law enforcement before and after the attack. Financial companies responsible for facilitating ransomware payments should determine whether filing a Suspicious Activity Report (SAR) with FinCEN is proper or required.

If you have questions or would like more information, please contact Caitlin Tubbesing at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

The Sixth Circuit Takes A Narrow Construction Of The Computer Fraud And Abuse Act And Sides With Employees

Posted on: September 18th, 2020

By: Caitlin Tubbesing and Barry Miller

The Computer Fraud And Abuse Act (CFAA) is a federal law that provides it is a violation for an individual to “intentionally access a computer without authorization or exceed authorized access” to get protected information.  Employers have attempted to rely upon the CFAA for years to pursue former employees who stole (or destroyed) confidential information from the employer’s computer system prior to leaving for a competitor. 

The issue that courts have struggled with is as follows: Does an employee who lawfully accesses his employer’s computer system, but engages in actions with a nefarious intent within the confines of that access violate the Computer Fraud And Abuse Act? That is a lot to chew on, right? Numerous federal courts agree it is a rubbery issue, which is why there are varying decisions by both district and appellate courts across the United States dealing with CFAA claims against former employees.

On September 9, the Sixth Circuit weighed in on this dispute when it held (in Royal Truck & Trailer Sales v. Kraft) that employees who took proprietary information from the network their employer gave them access to prior to departing for a competitor did not violate the Computer Fraud and Abuse Act (“CFAA”). In this case, the Sixth Circuit initially observed that the employees were allowed to access Royal Truck’s system because they still were employees when they did so. So the meatier question for the Sixth Circuit is whether employees exceeded their authorization when they accessed information for an improper purpose.   

The Sixth Circuit answered “no” because  the language of the CFAA required Royal Truck to show that the employees used their permitted access to gain information that they were not entitled to have. The information they acquired—quotes for Royal Truck customers—was information they could have when they were employees. The Sixth Circuit joined the Second, Fourth, and Ninth Circuits in narrowly interpreting the statute in this manner.

The Royal Truck court acknowledged, however, that other circuit courts—the First, Fifth, Seventh, Eighth, and Eleventh—read the statute more broadly, and would likely find the Royal Truck employees liable under the CFAA. The Supreme Court has accepted a criminal case, Van Buren v. United States, to be heard in the October 2020 term. While Van Buren is a criminal case, it still allows the Supreme Court to resolve this conflict in how the statute is interpreted. Until then, employers will have to understand the circuit split when assessing whether to pursue this type of claim against former employees.

If you have questions or would like more information, please contact Caitlin Tubbesing at [email protected] or Barry Miller at [email protected].

CCPA Enforcement: It’s Here … And Beyond

Posted on: September 14th, 2020

By: Rick Bortnick

On July 1. California’s Attorney General (“OAG”) began enforcing the California Consumer Privacy Act (“CCPA”)  against Covered Entities, notwithstanding that California’s Office of Administrative Law (“OAL”) had yet to approve CCPA’s correlative regulations. That changed on August 14, when the OAG announced that it had approved CCPA’s final regulations, albeit it with what the OAL characterized as “non-substantive changes for accuracy, consistency, and clarity.”

OAL’s changes included a modification of the mandate requiring Covered Entities to include a “Do Not Sell My Info” link on their home page enabling consumers to “opt-out” and direct the Covered Entity not to sell their personal information. The OAL now requires Covered Entities to display a “Do Not Sell My Information” link rather than the shorthand “Do Not Sell My Info” phrase.

While the OAL’s deletion of the short-hand link is effective immediately, businesses have 30 days to cure any alleged violations from the date they receive a non-compliance letter.

In addition, the OAG withdrew four of the sections it previously had proposed as follows:

  1. removed guidance on how business may use previously collected information for a materially different purpose by obtaining express consent from consumers;
  2. removed guidance on how business substantially interacting with consumers offline should provide notice of right to opt-out via an offline method;
  3. removed guidance on how businesses can provide consumers methods for submitting opt-out requests; and
  4. removed a section addressing a Covered Entity’s ability to deny certain requests for authorized agents.

The OAG hit the ground running from the moment its authority to enforce CCPA incepted. The same day its enforcement authority went into effect, the OAG sent compliance letters to businesses across all sectors notifying the recipients of alleged CCPA violations.   

The Attorney General was not the only one eager to enforce CCPA. Within days, a putative class of consumers sued Walmart alleging it had violated CCPA’s security provision, been negligent under the California Customer Records Act, had committed unfair business practices, and breached the contract arising from Walmart’s privacy policy. According to the Walmart Complaint, “the dark web is replete with stolen Walmart accounts for sale”, including credit and payment card information. The Complaint further avers that Walmart’s online security systems are vulnerable to unauthorized intrusions. This suit comes on the heels of prior CCPA suits against Minted Inc., Zoom, TikTok, and Salesforce.com.

The named plaintiff also asserts that he had communicated with the alleged hackers and verified the available personal information belonged to Walmart’s customers, a highly uncommon allegation in class actions relating to alleged privacy incidents and cyber breaches.

Citing CCPA, the named plaintiff seeks class-wide damages of at least $100 but not more than $750 per affected consumer. For Walmart, this means that a potential class of two million Californians could result in $200 million to $1.5 billion in damages. While this would scale down for smaller businesses, even a business subject to the CCPA with 50,000 consumers would face damages ranging from $5 million to $37.5 million.

But that is far from the end of the risks and potential exposures that companies doing business and aspiring to do business in California may face. To the contrary, on November 3, California residents will vote on the proposed California Privacy and Rights and Enforcement Act, sometimes referenced as CCPA 2.0 (“CPRA”), a statute which would further enhance California consumers’ privacy rights. As proposed, CPRA imposes more robust privacy requirements on Covered Entities and increases the penalties they might be assessed for violations. The proposed legislation gathered over 600,000 (reportedly over 925,000) valid signatures, according to California’s Secretary of State. 

The enhanced privacy rights proposed in CRPA would bring California even closer to the European Union’s mandates, which are set forth in its General Data Protection Regulation, colloquially known as GDPR, currently the most robust privacy legislation in the world. 

Among other things, CPRA would impose new obligations with respect to personal information (“PI”) collected after January 1, 2023, save the right to access personal information collected on or after January 1, 2022.

Given consumers’ concerns about and sensitivity to the loss of their personal information, CPRA is expected to pass by an overwhelming margin.

In short, Covered Entities doing business or aspiring to do business with California residents should take all appropriate steps  to implement “reasonable security procedures and practices” (an undefined term) to be compliant with CCPA and its newly enacted regulations, and steel themselves for even more robust mandates upon the passage and enactment of CRPA. To start, businesses that sell the personal information of California residents should include a link on their home page to a separate notice page that includes a “Do Not Sell My Personal Information” tab advising users of their right to opt-out.

Moreover, Covered Entities should be careful to maintain and update, as necessary, proactive employee training and robust information security protections. This, of course, includes having attorneys, who carry the attorney-client privilege with them, train both employees who deal with the public, as well as those with access to personal data, on how to detect and avoid social engineering and other types of business email compromise attacks. A company’s reputation and viability might depend on it.  

If you have questions or would like more information, please contact Rick Bortnick at [email protected].