RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Sometimes You Really Can See It Coming

Posted on: January 7th, 2021

By: Barry Miller

A woman charged with bilking the Massachusetts Department of Unemployment Assistance (“Department”) of more than $240,000 went to work for the Department in April after getting out of prison—having served her time for identity fraud.

Federal officials had charged the woman and her husband with conspiracy to commit wire fraud against the Department. The couple were scheduled to appear in court December 31.

According to the United States Attorney for the District of Massachusetts, the wife changed claim information for herself and her husband, resulting in payments of more than $240,000. This was two months after she had started working at the Department and “shortly after her release from federal prison following a conviction for aggravated identity theft.”

A Massachusetts television station asked why someone with a history of fraud had been hired and granted access to the Department’s computer system. A spokesperson responded that the Department “continues to cooperate with this investigation and cannot comment until that investigation is complete.” According to a Boston Herald columnist, the woman identified her previous employer as the “FCI (Federal Correction Institution) in Hazelton, WV.”

In related news, the same TV station reported that fraud was “bogging down” the Department, which had found more than 171,000 claims to be fraudulent, and which has already recovered more than $242 million from claims “found to be fraudulent.”

Goodbye 2020.

If you have questions or would like more information, please contact Barry Miller at [email protected].

Hackers, Viruses, and Spies, Oh My: The Race to Deliver the First Covid-19 Vaccine Fuels Cyber Espionage

Posted on: December 16th, 2020

By: Isis Miranda

Cyber spies have targeted pharmaceutical companies and universities working to develop a Covid-19 vaccine in attempts to steal trade secret information. These sophisticated hacking groups have recently added new targets – organizations expected to distribute the vaccines, – prompting CISA (the Cybersecurity & Infrastructure Security Agency) to issue a cyber alert on December 3, 2020.

Cyber espionage, in this case believed to be funded by governments, such as Russia, China, North Korea, and others, in an attempt to gain a competitive edge in the race to be the first country to deliver a vaccine, differs significantly from ransomware attacks. Such attacks are frequently launched by mercenary-minded hackers with little interest in the information they encrypt, aside from the ability to extract a ransom payment in exchange for decryption keys. The presence of ransomware in the victim’s network is unmistakable since affected files are rendered inaccessible. Cyber spies, in contrast, operate in stealth mode, seeking to avoid detection and harvest ever greater amounts of valuable information. For example, the U.S. departments of Treasury, Commerce, and Homeland Security recently detected breaches of their systems, believed to be perpetrated by Russian hackers working for the Kremlin, that may have lasted for months before they were discovered.

Silent hacks pose unique threats not only because they may go undetected; the stolen information may be valuable for a wide variety of nefarious purposes. Beyond simply allowing a business to gain an unfair advantage in the marketplace, the secret knowledge could allow bad actors, governments and criminals alike, to more precisely target their perceived enemies and undermine global stability.

The attempts to breach the Covid-19 vaccine cold chain, the network of organizations poised to distribute the vaccines while maintaining subzero temperatures, may be a case in point. Knowing how and where the vaccines are being distributed may be valuable to a government attempting to create its own distribution network, but such information might also be used to disrupt the delivery process.

Preventing and treating viruses – both human and computer – will no doubt continue to be important for the foreseeable future. Given the complexity of developing, manufacturing, and distributing on a massive scale the Covid-19 vaccines, some of which must be stored at negative 94 degrees Fahrenheit, the various shelter-in-place orders may be in effect well into 2021. Fortunately, there’s no place like home.

If you have questions or would like more information, please contact Isis Miranda at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Car Dealerships Settle Costly TCPA Text Marketing Class Action

Posted on: November 19th, 2020

By: Matthew Foree

The United States District Court for the Northern District of Oklahoma recently granted final approval of a Telephone Consumer Protection Act (“TCPA”) class action settlement involving several automobile dealerships.  The case is King v. Classic Chevrolet, 2020 U.S. Dist. LEXIS 189783 (N.D. Ok. Oct. 14, 2020). 

Among other things, the TCPA prohibits parties from sending telemarketing text messages using an automatic telephone dialing system (“ATDS”) without obtaining the recipient’s prior express written consent. The penalties range from $500 to $1500 per violation such that mass texts that are not compliant can be costly. 

The Complaint in King alleged violations of the TCPA based on telemarketing text messages that were sent to plaintiff and the class members without prior express written consent. Several examples of the text messages are included in the Complaint. They include solicitations about purchasing a new vehicle, extending auto warranties, and discounts on financing.     

The court certified a class of 118,373 members for the purposes of settlement. Case documents reveal that the case settled for $850,000, with just over $283,000 awarded in attorneys’ fees. Although limited information is available from the public case docket, the definition of the settlement class suggests that a third-party marketing company may have been involved in the text campaign.

The settlement serves as a reminder of the potential exposure of businesses that conduct text marketing. These businesses need to ensure strict compliance with the TCPA and its regulations or face the risk of severe penalties. Additionally, to the extent that such businesses rely on third-parties to assist in text marketing campaigns, they should properly vet such third-parties and ensure that those entities strictly comply as well.

Finally, the timing of the settlement in the King case is interesting given that the definition of ATDS is at issue in the Facebook v. Duguid case before the United States Supreme Court, with oral argument scheduled for December 8, 2020. We have previously discussed the importance of the Facebook case here.

If you have questions or would like more information, please contact Matt Foree at [email protected].

$1 Million Settlement for HIPAA Violations is Cautionary Tale

Posted on: November 2nd, 2020

By: Amy Bender

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that insurance giant Aetna will pay $1,000,000 to settle HIPAA violations stemming from the following three disclosures of nearly 19,000 plan members’ protected health information (PHI):

  • Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines
  • Benefit notices were mailed to members using window envelopes that displayed the words “HIV medication”
  • The envelope of a research study mailing that was sent to members contained the name and logo of the atrial fibrillation (irregular heartbeat) study in which they were participating

OCR determined that Aetna had committed the following HIPAA breaches:  

  • Impermissible disclosures of PHI
  • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security PHI
  • Failure to implement procedures to verify that a person or entity seeking access to PHI is the one claimed
  • Failure to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure
  • Failure to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI

In addition to paying the hefty fine, Aetna must implement a corrective action plan that includes implementation of, distribution of, and workforce training on written policies and procedures relating to privacy of PHI.

A copy of the settlement agreement and corrective action plan is posted on OCR’s website, available here.

This settlement is yet another reminder to HIPAA-covered entities to be vigilant in maintaining the privacy of PHI. Violations can be costly and result in negative publicity. Freeman Mathis & Gary’s Data Security, Privacy & Technology practice group can assist your organization with implementing data security policies and procedures, other preventative measures, and remedial efforts following a data breach. Please contact Amy Bender at [email protected] for more information.

Central Bank Digital Currency: Oxymoron or Near Reality?

Posted on: October 22nd, 2020

By: Peter Dooley

In a sharp change of course and softening of rhetoric, Federal Reserve Chair Jerome Powell gave a speech on Monday, October 19th at the International Monetary Fund’s Annual Meeting in which he left the door open to the creation of a digital currency backed by the central bank in the near future. The idea of a central bank digital currency, which has been given the catchy abbreviation CBDC, is not a novel idea, but the consistent reluctance of the U.S. Federal Reserve to wade more than ankle-deep into the world of digital currencies makes Powell’s comment particularly noteworthy. The Federal Reserve’s prior hesitancy has quickly given way to comments about “carefully and thoughtfully evaluating the potential costs and benefits of a central bank digital currency for the U.S. economy and payments system.”

This movement towards further exploration of digital currencies is not just a policy stance change for the Federal Reserve, but it also feels odd due to the origin of digital currency and the underlying blockchain technology. A digital currency backed by the U.S. government is a far cry from the origins of blockchain, Bitcoin, and the de-centralized unregulated wild-west conditions that birthed most cryptocurrencies around today. Regardless of the loss of outlaw appeal, the potential benefits that a centralized digital currency could bring in terms of speed of international payments, increases in efficiency of record storage and verification, and the general increase in cyber-security and privacy for which blockchain and digital currencies may be too advantageous for governments to pass up.

The U.S. is not alone in its efforts either as nations such as Canada, Sweden, China, and Japan are already in the experimentation phase with their own government back digital currencies. Despite the newfound love for digital currencies, the Federal Reserve continues to make it clear that a potential digital currency would not be “a replacement for cash, and current private-sector digital forms of the dollar, such as commercial bank money.” Experimentation will be important, but a larger source of delay is likely to be in drafting the extensive regulations surrounding the digital currency while simultaneously assuring that these regulations and payment processes are consistent with International Monetary Fund agreements and other international frameworks and treaties.

A U.S. CBDC is in no way a sure thing, but these statements showing interest and experimentation with the likes of MIT give reason to believe that the Federal Reserve is seriously warming up to digital currencies. In addition, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) recently decided to further regulate and place sanctions on payments of malware ransoms through digital currencies and this move further illustrates the federal government’s new desire to stake its claim in this sector. These first of their kind sanctions are explained in detail in the recent blog post of Caitlin Tubbesing. While it’s also not likely that we will have one of the first CBDC’s in circulation, the Federal Reserve’s shifting tone lends further credence to the idea and provides reason for optimism in wide-scale implementation of blockchain and digital currencies on a national level in the not too distant future.  

As governments and businesses continue to increase involvement in the sector of blockchain and digital currencies, it is important to stay up-to-date and vigilant for any ways this could affect your company’s cyber-security and policies and procedure in general.

If you have questions or would like more information, please contact Peter Dooley at [email protected].