CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Does What Happens in Mediation Stay in Mediation?

Posted on: August 14th, 2020

By: Barry Miller

Insurers: Time to review your mediation practices.

As COVID-19 travel restrictions force most mediations online, often with participants in more than one state, insurance carriers must re-examine their assumptions about the process. They need assurance that what happens in mediation stays in mediation and does not become the foundation for a bad faith case. They may even be surprised to find that whether that assurance exists might vary from jurisdiction to jurisdiction.

Standard I of the Model Standards of Conduct for Mediators (published by the American Bar Association with the American Arbitration Association, and the Association for Conflict Resolution) upholds this idea. “Parties may exercise self-determination at any stage of a mediation, including mediator selection, process design, participation in or withdrawal from the process, and outcomes.” (Model Standard I).

And how a carrier exercises that right to determination is also protected by the principle of confidentiality. At least that’s the assumption many carriers make.

It is time to reconsider that belief and the boundaries of confidentiality.

Which law governs confidentiality?

Mediating across state lines is not a new thing. Before COVID-19 mediations sometimes included out-of-state participants by telephone. But what used to be an exception is now becoming the norm. The preference of most courts and mediators to have the parties and representatives in the same location had to change in 2020, if COVID-19 was not to halt mediations altogether. As the number of interstate mediations increases, questions about conflicts of law will arise more often.

There is no uniform mediation privilege applied by the courts of the 50 states. In fact, at least one federal court has found that South Carolina, where it sits, recognizes no such privilege. Other federal courts (such as this one sitting in Pennsylvania) recognize that the privilege exists, but still find that some material disclosed in mediation was discoverable.

In federal courts, the Sixth Circuit recognized a settlement privilege in Goodyear Tire & Rubber Co. v. Chiles Power Supply, Inc., 332 F.3d 976 (6th Cir. 2003). But a number of federal courts reject the idea of a federal settlement privilege, holding that Federal Rule of Evidence 408 marks the full extent of protection for communications during negotiations.

Who owes the duty of confidentiality?

Is it the mediator who must maintain confidentiality? Or the parties? Ideally it should be both.

ABA

Model Standard V.A. requires the mediator to maintain the confidentiality of all information obtained in the mediation, unless otherwise agreed to by the parties or required by law.

But the Model Standards only pertain to the mediator. Confidentiality between parties remains a matter of law or agreement.

So the assumption that what happens at mediation stays at mediation can be dangerous for carriers, especially were a bad faith claim has been made. Like malpractice cases, bad faith claims are examples of “a case about case.” While bad faith claims usually are bifurcated for  trial and discovery purposes, the underlying and bad faith claims often are mediated together. If the bad faith claim does not settle, the question can evidence from mediation can be used in the bad faith claim.

Last year, In Mosley v. Arch Specialty Fire Insurance, The Court of Appeals of Kentucky held that it cannot. The underlying plaintiff alleged that two insurers acted in bad faith because they used the same defense counsel to represent them both at mediation, and also complained that counsel made global offers of settlement. Upholding summary judgment on the bad faith claim, the Court noted that allowing mediation conduct to serve as the basis for a new claim would chill settlement negotiations. Kentucky Rule of Evidence 408 (which mirrors the federal rule) was written to prevent this from happening. In addition, Kentucky’s Model Mediation Rule 12 recognizes that mediation conduct is covered by KRE 408. Because the plaintiff’s sole evidence for bad faith was mediation conduct, the Court of Appeals found that summary judgment was proper, since that evidence was not admissible. The Supreme Court of Kentucky has accepted discretionary review in Mosley; it remains to be seen whether that Court will give mediation the same protection.

How important is confidentiality?

One opinion states the view that most carriers would agree with, when it was asked to set aside a mediated settlement agreement. The  court declined to give that relief that it could only give by concluding that one litigant was unreasonable when it refused to accept an offer to settle. “It would be hard to imagine a procedure better designed to destroy the motivation parties have to engage in the mediation process than to have a judicial office determine how reasonable or unreasonable they were during their mediation and predicate a decision on that determination…. [I]t files in the face of the central judicial policy that settlement discussions be deemed confidential to encourage parties to engage in them.”

But expecting that all courts automatically have and apply this preference would be a mistake. And it is easier to make this mistake to make in a time when most mediations are conducted online.

Participate in Drafting the Mediation Agreement.

Carriers might seek the advice of counsel on conflicts of law issues before engaging in mediation, but it is unlikely that an attorney can give a definitive opinion where so many variables exist: the location of the parties, whether each of those jurisdictions recognizes a mediation privilege, and what the choice of law rules are in each jurisdiction.

The better practice is to control those variables as much as possible by agreement. The first principle of the ABA’s Model Standards is “Self-Determination.” Standard I.A. notes that parties “may exercise self-determination at any state of a mediation, including mediator selection, process design, participation in or withdrawal from the process, and outcomes.” Carriers can use their self-determination to ensure that the mediation properly addresses the use of mediation conduct to preserve their motivation to negotiate by:

  • Determining which of the states who might have an interest recognize a mediation privilege
  • Making sure the mediation agreement includes a choice-of-law provision stating that it will be applied pursuant to the law of one of those states
  • Making sure the mediation agreement imposes upon the parties the contractual obligation to preserve confidentiality.

This will require carriers to obtain the mediator’s standard agreement before the day of mediation so that it can request the insertion of the proper language.

That is an extra step that most carriers and attorneys have not felt the need to take, before now. But it has become a necessary step.

If you have questions or would like more information, please contact Barry Miller at [email protected].

Statute of Limitations Tolled in California Amid Pandemic

Posted on: August 3rd, 2020

By: Matthew Jones

In response to the COVID-19 pandemic, California’s Governor Gavin Newsom issued a “state of emergency” for the entire State. In response, the California Judicial Council adopted several Emergency Rules to implement during the pandemic. In particular, Rule 9 states that all statute of limitations for civil causes of action are tolled from April 6, 2020 until 90 days after the state of emergency related to COVID-19 is lifted by the Governor. Therefore, if a party’s claim would have expired pursuant to the applicable statute of limitations during this timeframe, such claims are still very much alive. In regard to those claims, there is currently no deadline to file them since the “state of emergency” has yet to be lifted by the Governor. Once lifted, claimants will have six months to file their respective claims.

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients.  Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments.  For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER:  The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19.  The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement.  We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG.  An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such.  We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Twitter Hack and the Lessons it Leaves Behind

Posted on: July 21st, 2020

By: Courtney Mazzio

Twitter fell victim to a major cyber attack on Wednesday, July 15, when the accounts for some of the world’s most recognizable public figures, executives and celebrities starting tweeting out links to bitcoin scams. The first public signs of the intrusion came around 3 PM EST, when the Twitter account for the cryptocurrency exchange Binance tweeted a message saying it had partnered with “CryptoForHealth” to give back 5000 bitcoin to the community, with a link where people could donate or send money. Shortly after that, similar tweets went out from the accounts of other cryptocurrency exchanges, and from the Twitter accounts for certain politicians and celebrities including President Barack Obama, Joe Biden, Elon Musk, Bill Gates, Kanye West, Michael Bloomberg, and Apple. In immediate response, Twitter blocked new tweets from every verified user, whether compromised or not, and they locked all compromised accounts.

In order to gain access to the user accounts, the attackers targeted certain Twitter employees through a social engineering scheme. In this attack, the attackers successfully manipulated a small number of Twitter employees and used their credentials to access Twitter’s internal systems. As of July 18, Twitter knew that the bad actors accessed tools only available to their internal support teams to target 130 Twitter accounts. For 45 of those accounts, the attackers were able to initiate a password reset, login to the account, and send the tweets. Twitter’s also reporting that for up to eight of the accounts involved (none were verified accounts), the attackers took the additional step of downloading the account’s information through our “Your Twitter Data” tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity, meaning that information such as private conversations and personal information on those accounts could have been accessed by the attackers.

Though the identities of the hackers are not yet known, there are strong indications that the attack was perpetuated by individuals who specialize in hijacking social media accounts via “SIM swapping,” an increasingly popular form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account. It’s estimated that the bad actors collected over $100,000 through this Twitter scam.

This incident demonstrates that even tech companies with technically sophisticated employees can still fall victim to phishing attacks. Twitter has said it will conduct additional company-wide training to guard against social engineering tactics in order to supplement the training its employees already receive during onboarding, and that employees will receive ongoing phishing exercises throughout the year as well. Training of that type is important not just for companies like Twitter, but really for companies of all sizes and in all industries. Employees continue to be a front line of defense in cybersecurity and no amount of technical safeguards on your computer network can protect against an employee being tricked into disclosing his or her credentials in a social engineering scam. So the moral of the story is: train early, train often, and talk about social engineering and cybersecurity in your workplace.

If you have questions or would like more information, please contact Courtney Mazzio at [email protected].

Microsoft Takes Control of Domains Exploiting COVID-19 Crisis in Phishing Attacks

Posted on: July 17th, 2020

By: Barry Miller

Microsoft now controls several domain names that, according to the company, were used in attempts to get personal information from Microsoft account holders during the COVID-19 crisis.

A Virginia federal court issued a temporary restraining order July 7, finding good cause to believe that two John Doe defendants would likely violate federal law by using the domain names in phishing attacks. That order directed the registries to give Microsoft control over the hosting and administration of the offending internet domains.

The Court also unsealed Microsoft’s complaint. It alleges that the John Doe Defendants registered the domains such as “OfficeInventorys.com,” and “OfficeSuiteSoft.com,” using them to send emails “designed to look like they come from an employer or other trusted source.”

Links in those emails, if clicked, would lead the victim to servers hosting malicious web applications that interacted with Office 365 services. Those applications granted the criminals access to Office 365 accounts holding “email, contacts, notes and material stored in the victims’ One Drive for Business” or SharePoint, according to the complaint.

Microsoft’s Digital Crimes Unit began investigating these criminals in December 2019, according to a blog post from Tom Burt, Corporate Vice President, Customer Security and Trust. It blocked their activity but continued to monitor them. “Recently, Microsoft observed renewed attempts by the same criminals, this time using COVID-19 related lures in the phishing emails to target victims,” Mr. Burt’s post stated.

His post cited the FBI’s 2019 Internet Crime Report stating business email compromise attacks (BECs) are the most expensive complaints the Internet Crime Complaint Center receives. The FBI attributed losses exceeding $1.7 billion to BECs.

Mr. Burt pledged that Microsoft would continue to investigate and disrupt cybercriminals, but reminded users that cyber threats continue to evolve, making it “more important than ever to remain vigilant against cyber attacks.”

If you have questions or would like more information, please contact Barry Miller at [email protected].

Additional Information:

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients.  Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest.  As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce education content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Businesses Beware of the Parallax RAT Trap

Posted on: July 7th, 2020

By: Peter Dooley

One of the newest and most potentially harmful malware campaigns, the appropriately named Parallax RAT, has been wreaking havoc on businesses of all sizes during this already trying time of increased remote work. RAT stands for “remote access trojan” and Parallax RAT is on the cutting edge of malware that is most often distributed through malicious attachments to camouflaged emails. The full control over an infected system that this remote access trojan gives hackers can and has been devastating to businesses storing sensitive client or employee information.

The sensitive personal, medical, and financial information gained by hackers using Parallax RAT can be sold on any number darknet markets or forums. Additionally, companies facing breaches of larger magnitudes have been forced to pay ransoms in Bitcoin in order to regain control of their sensitive data. Trojan threats like this one are nothing new and RATs have been used to gather information and steal credentials for nearly two decades; notable RATs that rose to popularity before Parallax include Agent Tesla, IvizTech, and RevengeRAT. Parallax RAT distinguishes itself by offering malicious actors a wider range of file types to phish for credentials as well as more efficient and sophisticated tools to camouflage attacks. The ease of use and ability to tailor communications using specific information are putting small businesses in increasing peril.

Recent accounts of certified public accounting firms being victims of the malware and having fraudulent tax returns filed using the CPA’s credentials illustrate the high stakes and complex risks associated with a Parallax RAT attack. If a breach does occur, the login credentials seized may be used to deliver the Trojan’s payload to the affected computer. Parallax is then installed and launches whenever a user logs into the system. At this point, the hacker has the ability to access the infected computer and can use a keylogger to copy or steal sensitive or valuable information. This scenario is even more worrisome as victims of a Parallax RAT attack are often completely unaware of the breach until they are notified through other means that sensitive data has been leaked.

To minimize these risks of a Parallax RAT attack or other cyber-attack, organizations should be vigilant in its defenses against malware. Training your workforce on identifying phishing emails, being skeptical of anything unsolicited, and not clicking on attachments or links from unknown sources, is critical and should be among your first priorities. Anti-virus should installed and up-to-date on all servers and endpoints within your network, in addition to intrusion detection software that identifies and alerts you to any suspicious activity. Also be sure that your organizations maintains regular backups of its data, stored separately and unconnected from your primary data repository, so you have the ability to restore files if you become infected with ransomware. Lastly, now is a good time to review your cyber liability insurance to ensure coverage is in place with appropriate limits and coverage for ransomware and other privacy events. In addition to the stress involved, cyber attacks can be costly and you will thank yourself later.

If you have questions or would like more information, please contact Peter Dooley at [email protected] or a member of our Data Security, Privacy & Technology practice group.