CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

City Hacks – Atlanta’s 2018 Cyberattack and the Growing Need for Cyber Liability Insurance

Posted on: February 12th, 2019

By: Matthew Weiss

Already a growing area of liability insurance for businesses, the importance of cyber insurance for local governments came to the forefront last March when the City of Atlanta suffered a malware attack in which its computer networks were hijacked by hackers seeking a ransom equal to $51,000 in bitcoin. The cyberattack left the City unable to perform basic services, including processing tickets in municipal court and providing Wi-Fi service at Hartsfield-Jackson International Airport. At one point, city employees were advised not to even turn on their computers.

While Atlanta’s cyberattack made national headlines, the role that cyber insurance played in its response has been largely undocumented. The City holds a cyber insurance policy with AIG, and the total cost associated with the cyberattack is believed to have approached $5 million.

Although Atlanta redacted key details of its cyber insurance policy, including its coverage limits, in response to press inquiries, the State of Georgia has acknowledged that it holds a $100 million cyber insurance policy, the largest of any state, covering more than 100 state agencies including every branch of state government except higher education. The policy was put to use when the Georgia Department of Agriculture’s computer system was infected by malware in December 2017, compromising the department’s computer system, including employee email and internal operation servers. The cost of the state’s response to the malware attack exceeded its self-insured retention of $250,000.

The recent experiences of the City of Atlanta and the Georgia Department of Agriculture exemplify the growing importance of cyber insurance for state and local governments. Governments are frequently considered prime targets for cyberattacks due to a lack of synchronization of government systems, the lack of harmonization among third-party vendors rendering services to those governments, and a dearth of qualified professionals employed by governments due to the fact that more lucrative careers are available in the private sector. Indeed, governments frequently assign cybersecurity to their IT departments, which are already overburdened and under-resourced. At the same time, as local governments become more digital, the impact of a cyberattack can become highly disruptive to the city’s operations, as the City of Atlanta’s experience showed. In fact, Forbes has reported that Lloyd’s City Risk Index estimates that the risk of cyberattack is the third most consequential threat to Atlanta and other North American cities, with a collective potential impact of more than $93 billion. Given these substantial risks, Lloyd’s concludes that cities and states should better utilize cyber insurance, with a 1% increase in insurance penetration resulting in a corresponding 22% decrease in the risk to taxpayers.

The growing need for cyber insurance among cities, counties, and states melds both the areas of local government law and insurance coverage and is certain to be a major growth area in the near future. Hopefully, Atlanta’s painful learning experience will better prepare other local governments in the months and years to come.

If you have any questions or would like more information, please contact Matthew Weiss at (678) 399-6356 or [email protected].

New Medical Devices and Performance Criteria

Posted on: February 12th, 2019

By: Koty Newman

The Food and Drug Administration (“FDA”) recently issued final guidance (the “Guidance”), providing a framework for its new Safety and Performance Based Pathway for its updated 510(k) process. Section 510(k) of the Food, Drug and Cosmetic Act requires medical device manufacturers to notify the FDA of their intent to market a medical device. Notification enables the FDA to determine if the product is equivalent to a device already on the market, which by extension, helps the FDA determine if the device is at least as safe and effective as the already marketed device.

The FDA’s Safety and Performance Based Pathway evidences the FDA’s recognition that it may be less burdensome for device manufacturers to show a new device’s substantial equivalence to a predicate device by demonstrating that the new device meets certain performance criteria, rather than directly testing the new device against a predicate device. Thus, “[i]nstead of reviewing data from direct comparison testing between the two devices, FDA could support a finding of substantial equivalence based on data showing the new device meets the level of performance of appropriate predicate device(s),” the Guidance states. In order to discern the requisite performance criteria, manufacturers should look to descriptions in FDA guidance, FDA-recognized consensus standards, and special controls.

The Guidance states that the “FDA believes that use of performance criteria is only appropriate when FDA has determined that (1) the new device has indications for use and technological characteristics that do not raise different questions of safety and effectiveness than the identified predicate, (2) the performance criteria align with the performance of one or more legally marketed devices of the same type as the new device, and (3) the new device meets all of the performance criteria.” Further, a manufacturer may use this program only if the manufacturer can rely entirely on performance criteria to demonstrate substantial equivalence. The FDA will still require that a manufacturer identify a predicate device in order for the FDA to determine the relevant intended use and technological characteristics decision points.

The FDA will maintain a list of device types that are appropriate for the Safety and Performance Based Pathway on its website, along with other information that will be helpful for manufacturers intending on navigating this particular Pathway, such as “guidances that identify the performance criteria and testing methods recommended for each device type.”

This policy represents an expansion of the long-applied approach by the FDA, giving device manufacturers an additional pathway to demonstrate substantial equivalence. For the manufacturers who cannot, or prefer not to, rely on this Safety and Performance Based Pathway, direct comparison with a predicate device will remain available to determine whether the new device is substantially equivalent to a predicate device.

The FDA is also seeking public comment on questions such as whether it should make public a list of devices or manufacturers who make products that rely on older predicates, such as predicates that have been on the market for ten-or-so years, and whether there are actions the FDA could pursue to promote the use of more current predicates. The public will have until April 22, 2019 to comment.

If you have any questions or would like more information, please contact Koty Newman at (678) 996-9122 or [email protected].

As Commerce Moves Online, the Americans with Disabilities Act Follows

Posted on: February 11th, 2019

By: Natalie Pulley

Does the Americans with Disabilities Act, requiring accessibility in public accommodations, apply to a business’ online presence? The Eleventh Circuit has weighed in on the issue, finding in Dennis Haynes v. Dunkin’ Donuts LLC that the ADA applies online.

In Dennis Haynes, the plaintiff is blind and relies on screen reading software. He attempted to go on the website for Dunkin’ Donuts but the website was not compatible with his, or any, screen reading software. The plaintiff sued Dunkin’ Donuts, LLC, claiming that it violated Title III of the Americans with Disabilities Act by not maintaining a website compatible with screen reading software. He alleged that the inaccessibility of Dunkin’ Donuts’ website has denied blind people the ability to enjoy the goods, services, privileges, and advantages of Dunkin’ Donuts shops.

The Eleventh Circuit agreed with his position and found that a website must comply with ADA requirements. The court found that a website is a service that facilitates the use of brick and mortar shops, which are places of public accommodation. Further, the court found that the ADA is clear that whatever goods and services the business offers as part of its public accommodation, it cannot discriminate against people on the basis of a disability, even if those goods and services are intangible. This opinion sides with a federal court ruling from Florida, which ruled that a supermarket chain could be liable under the statute for operating an inaccessible site.

While there is no blanket requirement of any specific auxiliary aides on corporate websites, the proliferation of website lawsuits presents a risk of liability. Corporations should take proactive steps to ensure that their websites are accessible to those with hearing, muscular, and visual impairments.

If you have any questions or would like more information, please contact Natalie Pulley at [email protected].

Haynes v. Dunkin’ Donuts, Ltd. Liab. Co., 741 F. App’x 752 (11th Cir. 2018)
Gil v. Winn-Dixie Stores, Inc., 257 F. Supp. 3d 1340 (S.D. Fla. 2017)

 

 

 

Latest Update on the H-1B Visa Application Process

Posted on: February 11th, 2019

By: Layli Eskandari Deal

The U.S. Department of Homeland Security (DHS) has issued a final rule implementing changes to the H-1B visa program for petitions filed under the H-1B cap (better known as the H-1B visa lottery).

The rule reverses the order whereby USCIS selects H-1B petitions for the standard allotment of 65,000 visas and the 20,000 visas allocated for the advanced-degree exemption. It also adds an electronic registration requirement for petitioners seeking to file H-1B cap-subject petitions. The final rule is scheduled to become effective on April 1, 2019.

Under the reverse selection process, USCIS will first select H-1B petitions for the general allotment of 65,000 visas. Then USCIS will select from the remaining petitions a number estimated to reach the advanced degree exemption. The reverse selection rule applies to petitions filed for the FY 2020 H-1B cap season (this year). The agency expects the lottery reversal to increase the number of individuals selected who possess an advanced degree from a U.S. institution.

The rule also implements an electronic registration requirement for H-1B cap-subject petitions which DHS has postponed until next cap season (FY 2021). Once implemented, it will require those seeking to file H-1B cap petitions to first electronically register with USCIS. Only petitioners whose registrations are selected will then be able to file an H-1B cap-subject petition.

For additional information related to this topic and for advice regarding how to navigate U.S. immigration laws you may contact Layli Eskandari Deal of the law firm of Freeman Mathis & Gary, LLP at 770.551.2700 or [email protected].

Can Governments be Liable for Mass Shootings under the Constitution?

Posted on: February 11th, 2019

By: Phil Savrin

The recent tragedies of mass shootings have spawned litigation over the civil liabilities of state governments for failing to protect members of the public from harm, particularly when there were advance warning signs that police departments overlooked or ignored. To evaluate whether States can be liable under the Constitution for such conduct we need to reach back 30 years to a decision by the Supreme Court called DeShaney. In that case, county officials had allowed an abused child to remain in a household despite knowledge of mistreatment, after which the boy was left permanently disfigured. In considering a civil rights claim brought on his behalf under the due process clause, the Supreme Court reasoned that the Constitution places limitations on the government’s ability to act and does not affirmatively require it to provide services that benefit the public. It is up to the individuals States to allocate resources to provide for public safety, in other words, as opposed to an obligation mandated by the Due Process Clause. That said, the Supreme Court reasoned that it is only when the State takes some action that puts a person in peril that the Constitution imposes “some corresponding duty to assume some responsibility for his safety and general well-being.”

Cases applying DeShaney’s reasoning are often heart-wrenching, as they tend to involve very egregious injuries that could have been avoided had law enforcement officers acted on knowledge they possessed. The most extreme example applying DeShaney can be found in the Supreme Court’s 2005 decision in Town of Castle Rock, where police officers refused the desperate pleas of a citizen to arrest her estranged husband who had violated a restraining order, resulting in the father’s murder of the couple’s three daughters. These harms could have been avoided had the State acted to intercede, yet it is only when the State by its conduct affirmatively puts the person in danger that the State has a constitutional obligation to protect that individual from harm.

Which brings us to the question of mass shootings such as the incidents at the Pulse nightclub in 2016 where a gunman killed 49 people or the high school in Florida in 2018 where a student opened fire killing 17 persons. In lawsuits that followed, allegations were made that government officials either ignored warnings or intentionally failed to act, thereby violating the constitutional rights of the victims. In both circumstances, however, the federal courts applied DeShaney to conclude that without danger created affirmatively by the State’s conduct, there is no constitutional right to protection where the harm begins and ends with the actions of a private citizen.

The absence of a constitutional claim in these circumstances does not, of course, mean that there can be no remedy of any sort. What these cases hold instead is that any such remedy exists by reference to state law as the federal Constitution is a bulwark against governmental interference in the public arena and is not a guarantor of safety for the citizenry.

If you have any questions or would like more information, please contact Phil Savrin at [email protected].