RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Breaking – U.S. Supreme Court Narrowly Interprets TCPA Autodialer Definition

Posted on: April 1st, 2021

By: Matt Foree

As we have discussed previously HERE and HERE, the Supreme Court of the United States has been considering an important Telephone Consumer Protection Act (“TCPA”) case concerning the statutory definition of “automatic telephone dialing system” (“ATDS”) in the Facebook v. Duguid case.  Today, the Supreme Court issued its opinion on the matter, resolving the split among the circuit courts in favor of a narrow interpretation of the autodialer definition.  The opinion can be found HERE.

The argument in the case centered around the definition of ATDS, which has created confusion among the courts, resulting in a patchwork of inconsistent decisions throughout the country.  The TCPA defines ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”  Among other things, the TCPA prohibits using an ATDS to make calls to a cellular telephone without the consent of the called party. Therefore, whether an ATDS was used in making calls can be determinative of liability. 

In this case, Facebook argued that the clause “using a random or sequential number generator” modified both verbs that precede it (“store” and “produce”), while Duguid argued that it modifies only the closest one (“produce”).  After analyzing the issue under conventional rules of grammar, the Supreme Court unanimously concluded “that the clause modifies both, specifying how the equipment must either ‘store’ or ‘produce’ telephone numbers.”  Accordingly, it determined that the ATDS definition requires that “in all cases, whether storing or producing numbers to be called, the equipment in question must use a random or sequential number generator.”  As a consequence, it determined that Facebook’s notification system at issue was not an autodialer because it neither stored nor produced numbers “using a random or sequential number generator.”  

The narrow interpretation of the ATDS definition has significant implications for TCPA litigation.  It is a major win for TCPA defendants.  The practical effect of the decision is a limitation of the type of equipment that will qualify as an autodialer, which will mean fewer lawsuits.  Others will argue that this will result in an increase in robocalls.  It may ultimately mean that it is time for Congress to amend this 1991 statute to bring it into the present.  In the meantime, we are actively monitoring these and other TCPA developments. 

For more information on this topic, please contact Matt Foree at [email protected].

NYSDFS’s Cyber Insurance Risk Framework Responds to the “Urgent Challenge” of Managing Cyber Risk

Posted on: March 16th, 2021

By: Curt Graham

New York’s Department of Financial Services (“DFS”) recently issued its Cyber Insurance Risk Framework which details seven best practices for managing cyber insurance risk. The Framework can be found here. One of the primary drivers for this guidance is the rise in the frequency of ransomware attacks, with the global cost of ransomware estimated to be $20 billion in 2020 alone.

The DFS joins the Office of Foreign Assets Control (“OFAC”) in recommending against making ransom payments in the event of a ransomware attack. Several justifications are offered for this recommendation. First, there is no guarantee that a victim will regain access to their data even if the ransom is paid. Second, ransom payments will almost certainly be used to fund more sophisticated attacks. Third, carriers and their policyholders risk violating OFAC sanctions if a ransom is paid.

The DFS’s bulletin also points out various deficiencies in the way cyber risk is currently assessed and priced by the insurance industry. In response, the DFS’s Framework identifies seven practices that all authorized property and casualty insurers writing cyber insurance should utilize. These include establishing a formal cyber insurance risk strategy, managing and eliminating exposure to silent cyber insurance risk, evaluating systematic risk, rigorously measuring insured risk, educating insureds and insurance producers, obtaining cybersecurity expertise, and requiring notice to law enforcement. Additional details relating to each practice can be found in the link above.

This Framework applies to all carriers writing insurance in New York. But its reach is far greater, as the DFS’s regulations also require regulated insurers to vet the cyber readiness of their vendors who may be located outside of New York. Given the vast reach of these regulations, any entity doing business with a DFS-regulated entity is well served by keeping an eye on DFS guidance such as the Cyber Insurance Risk Framework.

If you have questions or would like more information, please contact Curt Graham at [email protected].

Estimated 30,000 U.S. Organizations and Businesses Hacked Through Microsoft Exchange Server “Zero-Day” Vulnerabilities

Posted on: March 10th, 2021

By: John Ghose

State-sponsored hackers have accessed the Microsoft email environments of an estimated 30,000 U.S. organizations – including many small and medium-sized companies, universities, and government agencies.  This hack is nearly twice the size of the recent SolarWinds hack, and immediate action is needed to determine if your organization has been compromised. Below we explain how to assess whether your organization has been affected, and what to do if your data has been compromised.    

On Wednesday, March 3, 2021, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to businesses and organizations running Microsoft Exchange on-premises products. The emergency directive was prompted by a blog post written by Microsoft a day earlier that described successful efforts by a Chinese state-sponsored hacking group to exploit previously unknown “zero day” vulnerabilities of its MS Exchange product.  Volexity, the security firm that first discovered the zero-day vulnerabilities, said in this article that hackers have been using these vulnerabilities to access victims’ email environments as far back as January 6, 2021.

According to guidance from Microsoft and CISA, if your organization uses MS Exchange on-premises (not cloud) servers, you should take the following steps immediately:

  • Run the free script and deploy security updates provided by Microsoft to assess your exposure and patch your system;
  • If these initial assessments reveal indicators of compromise, your organization should activate its incident response plan and contact your cyber insurance carrier, if you have one, which can assist you with retaining a law firm and forensics vendor for guidance and advice.
  • Finally, your organization should back-up network data immediatelyAs reported by Brian Krebs, the security community fears that hackers could later exploit the web shell “back doors” installed as part of this hack by conducting a mass ransomware attack campaign to disrupt the American economy.  Backing-up data mitigates this ransomware risk.

If you need help with any of these steps, FMG’s Data Protection, Privacy, and Technology practice section is available and already advising several clients who have been affected by this breach.  In addition, we are partnering with Tracepoint, a leading cyber incident response firm, to provide clients with a zero-cost initial consultation to help them determine what actions are needed because of this hack.  Please contact co-chairs David Cole and John Ghose for further information.

Massive Unemployment Fraud Brings Some Taxpayers Another Nasty Pandemic Surprise

Posted on: March 9th, 2021

By: Barry Miller

Last spring FMG reported that the pandemic was making accountants attractive targets for hackers. Extended tax deadlines and stimulus checks keyed to tax information created the incentive for fraud. This year, Krebs on Security warns that “The Taxman Cometh for ID Theft Victims.”

The issue arises from another pandemic-related issue—massive unemployment insurance fraud. Krebs article notes that hacker stole more than $11 billion from California alone that by appropriating the information of California residents who were entitled to those benefits. Now California’s system shows that those benefits were paid, although the proper payee never received them.

And those benefits are taxable.

Which means that by January 31 thousands of people across the county received 1099-G forms reporting that they had received taxable benefits. California is not alone. AARP reports the unemployment fraud total across the county to be $36 billion.

The Internal Revenue Service issued guidance to taxpayers in a January 28 bulletin, advising those who received unexpected 1099-G forms to contact the state agency that issued and request a revised form. “Taxpayers who are unable to obtain a timely, corrected form from states should still file an accurate tax return, reporting only they received,” said the IRS.

The Insider advises those who received a 1099-G showing fraud to make sure they file a federal return by April 15, reporting only actual income received, and file a corrected form 1099-G after receiving it. Forbes gives more detailed suggestions, including reporting insurance fraud to employers and the state unemployment agency, the Federal Trade Commission, and the three major credit bureaus.

For more information, please contact Barry Miller at [email protected].

Cyber Insurance and the COVID-19 Pandemic

Posted on: March 5th, 2021

By: Matthew Jones

In light of the Covid-19 pandemic, various professions have changed their policies on working remotely. When the initial lockdown and quarantine process began, some companies were forced to begin working remotely to stay afloat. And even now when certain states begin to “re-open”, companies are allowing their employees to continue working remotely. However, some companies may not have the proper technology and security features to prevent cyber-attacks, which have increased significantly during the pandemic. In addition to that, some companies do not have the proper insurance in place to compensate for damages due to a cyber-attack. Although cyber insurance is occasionally bundled into existing property or liability insurance policies, that is not always the case.  Sometimes, those policies fail to explicitly include or exclude cyber-attacks, thereby leaving insurers at a great risk of loss. 

The legal profession is one industry that has seen an increase in cyber-attacks given the utilization of remote depositions and court appearances via Zoom and similar platforms. Even though these capabilities existed years prior to the pandemic, they have become much more commonplace in today’s business. But with their continued use comes vulnerability and additional claims. One way to counteract these claims is for insurers to require certain types of technology and/or security features within businesses as a prerequisite to cyber insurance, or draft policies so they explicitly state whether there is coverage to avoid additional costs of litigation. No matter how this issue is dealt with, it will likely lead to an increase in litigation as the technology world continues to evolve.

For more information, please contact Matthew Jones at [email protected].