CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Facing Increased Cyber Threats Against Legal and Accounting Professionals During the COVID-19 Pandemic

Posted on: March 24th, 2020

By: Renata Hoddinott

Millions around the world have had their daily routines disrupted and a wide variety of companies are participating in the largest “work from home” mobilization in history. While the ability for professionals to work remotely is key to business continuity in the midst of this pandemic, in doing so, firms and professionals have open their networks to unprecedented exposure.

Bad actors are capitalizing on the intense focus on COVID-19 panic and fear and security professionals have already noted an increase in malicious schemes. Those include phishing emails framed as alerts regarding the coronavirus outbreak containing attachments purportedly with information about COVID-19 and how to protect against the virus. When people are already stressed, fearful, and desperate for the most up-to-date information to protect themselves and loved ones, there is a significant risk to the security of any network.

Another prevalent threat for professionals, and particularly for CPAs, is in the realm of wire transfer requests. These types of scams are on the rise and can be very convincing, duping even the most cyber-savvy of professionals. Bad actors often begin well in advance of an attack by laying in wait and collecting information over an extended period. When the opportunity presents itself, such as now, these criminals use that information to launch convincing wire transfer requests. They can be framed as emails from “clients” requesting emergency funding and providing fraudulent wire instructions. CPAs often find themselves on the front lines against these malicious schemes and need to remain diligent and exercise extreme caution when responding to any requests. With professionals working remotely it can be more difficult to ensure a request is valid, but it is vital for requests to be double and triple checked and validated directly by phone or video to ensure accuracy before a single dollar is transferred.

Now is the time for all professionals to be vigilant about the cyber dangers. An unprecedented number of professionals are accessing company networks remotely and continuing to service clients including handling sensitive and confidential client data. In an office environment, when a threat is detected, IT can immediately quarantine and disconnect the compromised device and conduct an investigation of the company network. Now, however, employees may be connecting to firms’ servers from their own perhaps less secure networks and IT professionals are not on-site in those locations to troubleshoot issues and contain threats more easily. Failure to appropriately protect the sensitive and confidential data of clients may be the cause of malpractice claims in certain circumstances.

Firms should ensure IT security professionals are accessible to remote working professionals and able to isolate remote devices when necessary and limit the potential damage to the firm’s network through that compromised device. Now more than ever firms and professionals must remain diligent and prepared against new risks of fraud and cyber-attacks. Keeping mindful of cyber threats in the midst of this crisis is critical to ensuring ongoing success.

Additional information: 

The FMG Coronavirus Task Team will be conducting a series of webinars on Coronavirus issues every day for the next week. We will discuss the impact of Coronavirus for companies in general, but also for business in insurance, healthcare, California specific issues, cybersecurity, and tort. Click here to register.

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the Coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.** 

FCC Confirms COVID-19 Pandemic Constitutes Emergency Under TCPA

Posted on: March 23rd, 2020

By: Matthew Foree

The Federal Communications Commission (“FCC”) has just issued a Declaratory Ruling confirming that the coronavirus pandemic constitutes an emergency under the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling can be found here. Consequently, “hospitals, healthcare providers, state and local health officials, and other government officials may lawfully communicate information about the novel coronavirus as well as mitigation measures without violating federal law.”

The TCPA prohibits autodialed, pre-recorded, or artificial voice calls to wireless telephone numbers, with certain exceptions. The TCPA expressly exempts calls made for emergency purposes. The FCC’s rules define “emergency purposes” to mean “calls made necessary in any situation affecting the health and safety of consumers.” The exception is intended for “instances [that] pose significant risks to public health and safety, and [where] the use of prerecorded message calls could speed the dissemination of information regarding . . . potentially hazardous conditions to the public.”

The FCC recognized that a critical component of the nation’s efforts to address and contain the pandemic is the ability of healthcare and public safety organizations to communicate effectively with the public.  Therefore, it found that the current pandemic constitutes an imminent health risk to the public.  The FCC found that in determining whether a call relating to the pandemic qualifies as a call made for an emergency purpose, it looks to (1) the identity of the caller and (2) the content of the call. Under the first prong, “the caller must be from a hospital, or be a healthcare provider, state or local health official, or other government official as well as a person under the express direction a such an organization and acting on its behalf.” Under the second prong, “the content of the call must be solely informational, made necessary because of the COVID-19 outbreak, and directly related to the imminent health or safety risk arising out of the COFIC-19 outbreak.”

The FCC gave multiple examples of calls that would fall within the emergency exception. For example, “a call originating from a hospital that provides vital and time-sensitive health and safety information that citizens welcome, expect, and rely upon to make decisions to slow the spread of the COVID-19 disease would fall squarely within an emergency purpose.” The FCC also recognized that calls that contain advertising or telemarketing of services do not constitute calls for an emergency purpose. Furthermore, calls made to collect a debt, even if it arises from related healthcare treatment, are not made for an emergency purpose. Such calls still require the prior express consent of called party.

Finally, the FCC recognized that consumers have already received telemarketing and fraudulent robocalls related to the pandemic, including scam text messages and calls offering home testing kits and promoting bogus cures. The FCC stated that it would be vigilant in monitoring complaints about these calls and would not hesitate to enforce its rules when appropriate.

If you have any questions about the FCC’s Declaratory Ruling, or any obligations under the TCPA during this time, please do not hesitate to contact Matt Foree at [email protected].

Additional information: 

The FMG Coronavirus Task Team will be conducting a series of webinars on Coronavirus issues every day for the next week. We will discuss the impact of Coronavirus for companies in general, but also for business in insurance, healthcare, California specific issues, cybersecurity, and tort. Click here to register.

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the Coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.** 

HHS Waives Some HIPAA Sanctions During the Coronavirus Pandemic

Posted on: March 20th, 2020

By: David Cole

The HHS Office for Civil Rights (OCR) issued two important bulletins this week in response to the coronavirus pandemic. Each one announced that OCR will temporarily waive certain sanctions and penalties for noncompliance with HIPAA Rules to help deliver care to people in need.

Limited Waiver for Privacy Rule Requirements

First, OCR issued a Limited Waiver of HIPAA Sanctions and Penalties for not complying with certain parts of the Privacy Rule. Specifically, the Waiver says that healthcare providers will not be sanctioned or penalized for not complying with the following usual requirements:

  • The requirement to obtain a patient’s consent before speaking with family members or friends involved in the patient’s care;
  • The requirement to honor a request to opt-out of the facility directory;
  • The requirement to distribute a Notice of Privacy Practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The Waiver became effective on March 15, 2020, but currently only applies (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. It is unclear if OCR will extend the time for this Waiver given the widespread and potentially prolonged nature of the coronavirus outbreak. A copy of the bulletin is available here.

Video Technology Allowed for Telemedicine

Second, OCR issued a Notification of Enforcement Discretion allowing healthcare providers to use “any non-public facing remote communication product that is available” to communicate with patients to provide telehealth during the coronavirus national emergency. As examples, OCR said it will allow healthcare providers to use video chat application like Apple FaceTime, Facebook Messenger, Google Hangouts, or Skype, to provide telehealth without risk of penalty for noncompliance with HIPAA Rules. However, Facebook Live, Twitch, TikTok, and other similar public-facing video applications are not allowed. Healthcare providers are still expected to enter into Business Associate Agreements with the technology companies providing the video communication services, but OCR says it will not impose penalties for failing to do so during the time of the national emergency. A copy of the Notice is available here.

Additional information: 

The FMG Coronavirus Task Team will be conducting a series of webinars on Coronavirus issues every day for the next week. We will discuss the impact of Coronavirus for companies in general, but also for business in insurance, healthcare, California specific issues, cybersecurity, and tort. Click here to register.

FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the Coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you.  We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.** 

Cyber Attack on HHS is a Reminder for Businesses to Remain Vigilant About Cybersecurity During the COVID-19 Pandemic

Posted on: March 17th, 2020

By: Renata Hoddinott

Amidst all the information and news flooding the internet regarding COVID-19, another troubling headline emerged this morning: an unknown actor launched a cyber attack on the Department of Health and Human Services (HHS) on Sunday. The attack was not a hack in the traditional sense, and no data was stolen from HHS’s systems. Rather it was an attempt to slow down HHS’s COVID-19 response by flooding the site with millions of requests over the course of several hours. It was a distributed denial of service – or DDOS – attack. The distinction is important because there was no apparent breach of the system of the lead agency responding to the coronavirus pandemic, and none of HHS’s critical functions were interrupted. HHS’s system was largely able to repel the intrusion, the agency was fully functioning at all times, and its site never crashed. But while the attack was unsuccessful, it is a harbinger of things to come and businesses should take note.

Most corporations and firms with the capability to do so have permitted, encouraged, or even mandated their employees to work from home for an extended amount of time to limit the spread of the virus. All of that remote access may be on potentially less secure networks should raise some concerns for those businesses. Bad actors will no doubt use the opportunity to gain access to less secure devices and networks to penetrate systems they may not have had access to previously due to the security in place for devices “in-house.”

Now is the time to remind remote employees to practice basic sense and security in ensuring they are only accessing company systems on private, password-protected networks. Employees also need to be watching for social engineering and phishing attacks. It may seem as though the email from the boss asking for password information or the firm’s credit card number is legitimate because employees do not have the ability to walk down the hall and ask.

And, for some smaller enterprises who may be new to remote-access, some systems may have been rolled out untested in certain circumstances to ensure business continuity. In those cases, it will be important to ensure that when restrictions are lifted and employees are able to return to work that those remote system are analyzed and secured from future threats.

This pandemic has unexpectedly and almost immediately changed the way business is conduct day-to-day around the globe. It remains to be seen whether those changes will be permanent. While most people are pulling together in this outbreak, malicious actors will always be looking for every opportunity to take advantage of the situation. During the period of social distancing and self-quarantining, individuals are desperate for up to the minute information on the crisis. Businesses need to be aware that attackers will attempt to exploit the human element now more than ever. And, as we all know, there is almost always a human element – whether an honest mistake or negligence – in most cybersecurity incidents.

In addition, FMG has formed a Coronavirus Task Force to provide up-to-the-minute information, strategic advice, and practical solutions for our clients. Our group is an interdisciplinary team of attorneys who can address the multitude of legal issues arising out of the coronavirus pandemic, including issues related to Healthcare, Product Liability, Tort Liability, Data Privacy, and Cyber and Local Governments. For more information about the Task Force, click here.

You can also contact your FMG relationship partner or email the team with any questions at [email protected].

**DISCLAIMER: The attorneys at Freeman Mathis & Gary, LLP (“FMG”) have been working hard to produce educational content to address issues arising from the concern over COVID-19. The webinars and our written material have produced many questions. Some we have been able to answer, but many we cannot without a specific legal engagement. We can only give legal advice to clients. Please be aware that your attendance at one of our webinars or receipt of our written material does not establish an attorney-client relationship between you and FMG. An attorney-client relationship will not exist unless and until an FMG partner expressly and explicitly states IN WRITING that FMG will undertake an attorney-client relationship with you, after ascertaining that the firm does not have any legal conflicts of interest. As a result, you should not transmit any personal or confidential information to FMG unless we have entered into a formal written agreement with you. We will continue to produce educational content for the public, but we must point out that none of our webinars, articles, blog posts, or other similar material constitutes legal advice, does not create an attorney client relationship and you cannot rely on it as such. We hope you will continue to take advantage of the conferences and materials that may pertain to your work or interests.**

Eleventh Circuit Expands Insurance Coverage Under Commercial Crime Policies

Posted on: March 10th, 2020

By: Bill Buechner

In a closely-watched case involving the scope of coverage under a commercial crime policy, the Eleventh Circuit issued a decision in December holding that an insurer’s commercial crime policy provided coverage for an all-too-familiar email spoofing scheme that resulted in the loss of more than $1.7 million.

In Principle Solutions, Grp., LLC  v. Ironshore Indem., Inc., 944 F.3d 886 (11th Cir. 2019), an imposter posing as the company’s managing director (Nazarian) sent an email to the company’s controller (Lien) in July 2015 informing her that the company had been secretly working on a “key acquisition” and instructed her to wire money to consummate the transaction as soon as possible that day.  The email informed Lien that an attorney (Leach) would contact her shortly to provide additional details and instructed Lien to work with Leach to complete the wire transfer.   The email instructed Lien to “treat [the] matter with the upmost discretion and deal solely with” Leach. Id. at 889.   Sure enough, Leach, who purported to be a partner with the London-based law firm of Bird & Bird, contacted Lien via email and phone shortly thereafter.  After Lien confirmed with Leach that the company’s bank (Wells Fargo) could process an international wire transfer in different forms of currency, Leach emailed to Lien the specific wiring instructions for a bank in China providing for the wire transfer.  Leach later reiterated to Lien over the phone that Nazarian had approved the wire transfer.  With the assistance of a co-worker, Lien transmitted the wiring instructions to the company’s bank, Wells Fargo.   Lien did not any point confirm these instructions by phone with the real Nazarian, who was out of the office that day.

However, Wells Fargo’s fraud department notified Lien in two emails and by voicemail that the requested wire transfer was being put on hold as a security measure and that additional approval was required.  Lien spoke with an employee in Wells Fargo’s fraud department, who inquired into the purpose of the proposed wire transfer and asked her to confirm with Leach how he had received the wire instructions.  After additional phone calls and emails with Leach, Lien informed Wells Fargo that Leach received the wire instructions verbally from Nazarian via telephone.  Wells Fargo then approved the requested wire transfer and released the funds.   When the real Nazarian returned to the office the next day, Lien informed him that she had completed the wire transfer as requested, at which point the company discovered the fraud.  By then, however, it was too late to recover the more than $1.7 million in wired funds from the Chinese bank.

The company purchased a commercial crime policy from Ironshore Indemnity, Inc., which among other coverages, provided Computer and Funds Transfer Fraud coverage for “Loss resulting directly from a ‘fraudulent instruction’ directing a ‘financial institution’ to debit your ‘transfer account’ and transfer, pay or deliver ‘money’ or ‘securities’ from that account.”    The policy defined “fraudulent instruction” in relevant part, as an instruction “initially received by you, which instruction purports to have been issued by an ‘employee’ but which in fact was fraudulently issued by someone else without your or the ‘employee’s’ knowledge or consent.”

The initial email purportedly from Nazarian did not contain any specific wiring instructions, and the emails and phone calls purportedly from Leach did not purport to be from a company employee, but rather from an outside attorney representing the company.  Nevertheless, the Eleventh Circuit panel considered the communications purportedly from Leach and Nazarian together and construed these emails as being part of the same fraudulent instruction.  Principle Solutions, 944 F.3d at 891.

More significantly, the panel, citing several dictionary definitions, held that the phrase “resulting directly from” means proximate cause rather than an immediate link to the loss.  Principle Solutions, 944 F.3d at 891-92.   In doing so, the panel did not cite or discuss an unpublished Eleventh Circuit decision that held that “one thing results ‘directly’ from another if it follows straightaway, immediately, and without any intervention or interruption.”  Interactive Communs. Int’l, Inc. v. Great Am. Ins. Co., 731 F. App’x 929, 934 (11th Cir. 2018).   The panel noted that proximate cause is not necessarily the last or nearest act to the injury. Id. at 892.  The panel then concluded that the fraudulent instruction was the proximate cause of the loss as a matter of law because the involvement of Wells Fargo’s fraud department was foreseeable.  Principle Solutions, 944 F.3d at 892-93.   A dissenting opinion asserted that there were triable issues of fact as to whether the fraudulent instruction was the proximate cause of the loss.

As recently as 2012, a clear majority of jurisdictions held that “resulting directly from”, “direct loss” and similar policy language does not mean proximate cause, but rather requires an immediate link between the alleged fraudulent conduct and the loss.   However, along with the Eleventh Circuit’s Principle Solutions decision applying Georgia law, a growing number of more recent decisions, including a 2018 decision issued by the Second Circuit (applying New York law), have held that the broader proximate cause standard applies.  Another 2018 decision from the Sixth Circuit (applying Michigan law) declined to resolve this issue, but held that the loss was covered even though there were multiple steps between the receipt of the fraudulent emails and the wire transfers that resulted in the loss.

Many commercial crime policies and similar policies provide computer fraud and funds transfer fraud coverage for losses “resulting directly from” a covered event, or similar language.  Insurers providing such coverages should recognize that the case law is sharply divided as to whether this policy language is triggered when the loss is the proximate cause of the covered event, or if a more immediate link is required.   Insurers who receive these claims should confer with their coverage counsel regarding the developing law on this question in the jurisdiction in which the policy was delivered.

If you have questions or would like more information, please contact Bill Buechner at [email protected].