Jennifer Beckage Bloomberg LawJennifer A. Beckage, Esq., CIPP/US, CIPP/E quoted in Bloomberg Law Article

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E quoted in Bloomberg Law Article

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E | April 16, 2021

‘Biden’s Russia Strike Marks Shift in U.S. Cybersecurity Strategy’

“It’s nice to see the government support private-public collaboration to drive this forward,” Beckage said. “It’s more indication from the current administration that cybersecurity is important and will continue to be going forward.”

Risk Management MagazineJennifer A. Beckage, Esq., CIPP/US, CIPP/E was published ‘Risk Management Magazine’

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E was published ‘Risk Management Magazine’

‘The Legal Issues in Cyber Incident Response’

Jennifer A. Beckage, Esq., CIPP/US, CIPP/E | April 1, 2021

When we think about cyber incident response, we think about detection, analysis, containment, eradication, remediation and reporting. These stages are not just about technical and forensic response, however. Throughout each, legal risks and considerations must also be addressed. It is imperative to focus on gaining technical understanding of what the threat actor did, when they did it, and how to overcome their interference and resulting business interruptions. At the same time, equal focus must be given to examining applicable state and/or federal laws, contractual obligations, and any other potential legal exposures or rights. This can be accomplished while simultaneously managing other aspects of incident response, including cyber insurance carrier updates, public relations, internal communications and, of course, technical response. Working with legal counsel and the organization’s incident response team to answer material legal questions through the phases of incident response often dictates how and when the next phase is handled. 

BiometricsIn the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

In the Face of Huge Settlements, BIPA May Soon Be Losing Its Bite

Illinois lawmakers are considering a bill which has the potential to dramatically rein in the state’s strict Biometric Information Privacy Act (“BIPA”).  On March 9, 2021, the Illinois House judiciary committee advanced House Bill 559 (the “Bill”) which would amend BIPA.  The Bill has a couple of key amendments that may impact your business.

First, the Bill changes BIPA’s “written release” requirement to instead simply require “written consent”.  Thus, under the Bill, businesses would no longer be required obtain written release, but instead could rely on electronic consent.

Second, whereas BIPA currently requires that a business in possession of biometric identifiers draft and provide a written policy regarding its handling of biometric data to the general public, under the Bill, businesses would only be required to provide this written policy to affected data subjects.

Third, the Bill creates a one-year statute of limitations for BIPA claims.  Moreover, the Bill provides that prior to initiating a claim, a data subject must provide a business with 30 days’ written notice identifying the alleged violations.  If the business cures these violations within the 30 day window, and provides the data subject an express written statement indicating the issues have been corrected and that no further violations shall occur, then no action for individual statutory damages or class-wide statutory damages can be taken against the business.  If the business continues to violate BIPA in breach of the express written statement, then the data subject can initiate an action against the business to enforce the written statement and may pursue statutory damages.  Therefore, not only does the Bill finally create a statute of limitations, but also provides a mechanism by which businesses can respond to alleged violations of BIPA prior to engaging in costly litigation.

Fourth, the Bill modifies BIPA’s damages provisions.  Currently BIPA provides that prevailing plaintiff is entitled liquidated damages of $1,000 or actual damages, whichever is greater, when a business is found to have negligently violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to only actual damages.  Similarly, in its current form, BIPA provides that a prevailing plaintiff is entitled to liquidated damages of $5,000 or actual damages, whichever is greater, when a business is found to have willfully violated BIPA.  The Bill would limit a prevailing plaintiff’s recovery to actual damages plus liquidated damages up to the amount of actual damages.  Therefore, the Bill would limit a businesses exposure in BIPA claims to what a prevailing Plaintiff can demonstrate as actual damages.

Finally, the Bill provides that BIPA would not apply to a business’ employees if the those employees were covered by a collective bargaining agreement.  Something which has been at issue in recent BIPA litigation as discussed here.

BIPA litigation has increased dramatically and resulted in a number of recent high-profile settlements, including TikTok’s $92 million dollar settlement and Facebook’s $650 million dollar settlement.  This Bill has the potential to greatly curtail this spiral of litigation and high settlement figures.  Beckage will continue to monitor any developments regarding the Bill and will update its guidance accordingly.  Our team of experienced attorneys, who are also devoted technologists, are especially equipped with the skills and experience necessary to not only develop a comprehensive and scalable biometric privacy compliance program but also handle any resulting litigation.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

Auto DialerSCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

SCOTUS Narrows Scope of TCPA to Only Systems that Use Random Number Generators

In a long-awaited decision, on April 1, 2021, the Supreme Court of the United States released its opinion in Facebook v. Duguid et al., and unanimously adopted a narrow interpretation of the term “automatic telephone dialing system” or ATDS under the Telephone Consumer Protection Act (“TCPA”).  Hundreds of TCPA class action complaints are filed every year against defendants in all industries leveraging text message or calling consumers.  One of the central legal questions addressed in these litigations is whether the text messaging systems used to contact consumers are ATDS such that TCPA liability can stand. Specifically, if these databases are used to store, but not generate, numbers, can they constitute an ATDS?  The Supreme Court’s opinion answers this question in the negative, and provides necessary clarity to the ATDS definition, and its narrow holding is expected to benefit TCPA defendants nationwide.  

The Allegations in Facebook v. Duguid et al.

In Duguid, Plaintiff Noah Duguid alleges he received several text messages from Facebook alerting him that someone had attempted to access a Facebook account associated with his number from an unknown browser.  Duguid alleged that he did not have a Facebook account and never provided Facebook his telephone number.  As a result, Duguid asserted that Facebook violated the TCPA by maintaining a database that stored phone numbers and programing its equipment to send out automated text messages to those numbers each time the associated account was accessed by an unrecognized device or web browser.

Facebook argued that the database in which it stored telephone numbers was not an ATDS such that TCPA liability could be established, and the Supreme Court agreed.  As defined by the TCPA, an “automatic telephone dialing system” is a piece of equipment with the capacity both “to store or produce telephone numbers to be called, using a random or sequential number generator,” and to dial those numbers.  Based on Duguid’s allegations, at issue was whether that definition encompassed equipment that can “store” and dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.”  The Supreme Court of the United States held that because Facebook’s database system did not involve a random or sequential number generator but simply stored numbers, the text messages sent from the system did not violate the TCPA.

What Now?

The Supreme Court’s holding has the potential to greatly limit the number and scope of putative TCPA class actions in the future as it eliminates from the definition of ATDS those systems which do not use a random or sequential number generator, but simply store numbers. 

Despite this added clarity, TCPA litigation remains complex.  Being proactive and building robust and scalable policies into the foundation of your organization will help mitigate legal risk. The Beckage TCPA team has handled numerous class actions litigations in this space and can help your business navigate this complex area of the law.

*Attorney Advertising: Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

5GWith 5G, will your thermometer need malware protection?

With 5G, will your thermometer need malware protection?

5G is perhaps the biggest critical infrastructure build the world has seen in twenty-five years.  It will allow for the connection of millions of Internet of Things (“IoT’) devices.  However, with these added benefits comes related vulnerabilities and cybersecurity risks. 

What are the specific cybersecurity risks are associated with the 5G network?

First, the 5G network itself can pose many security risks.  The 5G infrastructure is built using many components, each of which may be corrupted through an insecure supply chain.  Significantly more software is being used allowing for more entry points and more potential vulnerabilities.  Similarly, more hardware devices are required (cell towers, beamforming devices, small cells, etc.), and each one of these hardware devices must be adequately secured.  Small, local cells may be more physically accessible and therefore subject to physical attack.  Further, 5G will be built, in part, on legacy 4G LTE components – which themselves can have vulnerabilities.

Second, with specific focus on IoT devices, cybersecurity protections will need to become much more granular and more capable of being deployed on less intelligent “Things.”  Historically, one could think of a Thing as a device that can be connected to a network, but which lacked sufficient processing power to handle more advanced computations.  Things are “dumb.”  By connecting a processor, we could make such dumb Things “smart.”  These new smart IoT devices are interesting vectors of attack by malicious actors and further confound overall cybersecurity programs.  The ability to detect a cyber attack on a light bulb will require additional cybersecurity solutions.

Finally, with 5G facilitating the implementation of more IoT devices, more sensitive data may be stored requiring the need to protect edge computers servicing the IoT device.  If we consider the ubiquity of thermometer scanning now and how those and similar IoT devices could easily become part of 5G, then we begin to understand the seemingly exponential possibility for threat vectors on our networks.  We may have sensitive data (Am I sick?  What time do I show up for work?) and we may have the concern that a malicious actor may look to infect a network through a Thing. Will thermometers need malware protection?  More devices arguably allow for more places for a hacker to attempt to attack and thus the possibility of a greater availability of distributed denial of service (DDOS) attacks.  There were reports of Things being used collectively to deny service with the LTE network.  With 5G, the concept of an army of coffee makers attacking by all issuing a request to an address will become a greater possibility and manufacturers could be liable to other parties if their insecure Things are used to deny the service of someone else.

Regardless of the attack vector, incident response practices are universal, and Beckage’s Incident Response Team can help prepare your team from IoT and other attacks.

What potential solutions are available to mitigate this risk?

Companies looking to incorporate 5G should partner with experienced tech counsel who can assist by reviewing contracts, conducting risk assessments, and evaluating and updating incident response plans and procedures to account for any additional risks associated with 5G.

In addition, there are already some attempts at governmental solutions.  In March 2020, President Trump issued a National Strategy to Secure 5G – requiring, in relevant part, that the Unites States must identify cybersecurity risks in 5G.

The CISA (Cybersecurity & Infrastructure Security Agency) also issued some documents relating to the security of 5G.  Similarly, we are seeing a push for international standards and certain untrusted companies have had their products banned from use.  The Federal government is using regulations to limit the adoption of equipment that may contain vulnerabilities.

So, what is the solution?  The same as always.  Innovation.  Businesses are encouraged to develop trusted solutions and innovation in this space.  Advanced cybersecurity monitoring and protection by design will continue to be needed.

The Beckage Team of lawyers, who are also technologists, is well-versed in new and emerging technologies and works with clients to facilitate innovation through the use of IP protections.  We also assist companies in the implementation new technologies, like 5G, taking into consideration the cybersecurity, data privacy, and regulatory obstacles associated with their use.  From patent acquisition to policy drafting and review, Beckage attorneys are here to help your company capitalize on innovation.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

1 3 4 5 6 7 25