Welcome to the fifth issue of Decoded for 2023.
We want to kick off this issue with a huge congratulations to several of our attorneys. 14 of the firm’s West Virginia-based lawyers, three of our Virginia-based attorneys, and two of our Pennsylvania attorneys were recognized by Super Lawyers for 2023! Many of these attorneys practice technology law and adjacent practice areas. Congratulations to them for this well deserved honor!
Another congratulations goes to Clifford F. Kinney, Jr. as he recently joined the International Association of Defense Counsel (IADC), one of the most respected legal organizations in the world. The IADC is an invitation-only association for lawyers and insurance executives who represent corporate and insurance interests around the world.
We hope you enjoy this issue and, as always, thank you for reading.
Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group
and
Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group
| |
“At two-thirds of organizations, there is a fear that almost all employees, 95%, will not understand how to recover following a cyberattack.”
Why this is important: In past editions of Decoded, we have discussed the importance of having policies and procedures in place in the event of a cyberattack. It is easier to plan and prepare when things are calm than to react to an emergent situation when everything is chaotic and people are in a panic. Two-thirds of organizations fear that their employees will not be able to function effectively following a cyberattack. Leadership may believe that because they have a policy or procedure in place for how to respond to a data breach that they are prepared for one. Experts are finding that may not be the case.
It is not enough just to have a policy and procedure for how to respond to a data breach and keep operations afloat. You must have frequent training to instill the knowledge conveyed by those policies and procedures in your employees. However, a report by Immersive Labs states that such training is not happening often enough. This includes training your team regularly on the company’s data breach response plan. This is a document detailing how the company will respond in the event of a data breach, and it should initiate the process for identifying and containing the breach. However, if employees are not properly trained on it, then it will not be effective.
In creating the data breach response plan, the first step is to conduct a risk assessment and identifying what would constitute a breach. The plan should also identify what would be affected by a breach, including data, people, applications, and systems. The data breach response plan should include the following:
- Identify the response team and its members – You need to create the nucleus of the organization who will be tasked with responding to the data breach, and identifying each role. This team should be interdisciplinary and include members of the executive team, human resources, IT, legal (both inside and outside counsel), marketing, and communications.
- A contact list – In the event of a cyberattack, your company should have a contact list of everyone who needs to be contacted in the event of the breach, and when they need to be contacted. This list should include regulatory authorities, legal counsel, insurance providers, cybersecurity specialists, IT providers, and PR.
- A communications plan – You should have prepared statements ready for various stakeholders in your organization, including customers, employees, and the media. This should be an adaptable plan that takes into consideration when and how statements should be released.
- A data recovery plan – You need a plan for how and in what order critical systems and data can be recovered in the event of a ransomware attack. This includes making the decision before such an attack whether the company will pay the ransom or not. The federal government recommends that a company not pay the ransom because payment only encourages additional attacks throughout the economy. If you have sufficiently prepared for a ransomware attack, including adequately backing-up your data, then the decision on whether to pay a ransom or not is easier to make.
Creating the plan one time is not sufficient. Threats change and staff turns over, so the data breach response plan has to adapt as well. As part of the plan, you should incorporate at least annual reviews and updates for the date breach response plan.
It is not enough for company leadership to have a data breach response plan created and believe that is all that needs to be done. Creating the plan is the first step and now you have to train your team on it. Regular training for your data breach response plan is critical. Additionally, periodic meetings of your response team and outside support vendors, including legal counsel, is advisable so that they are all familiar and comfortable with each other, which will facilitate better coordination in the event of a data breach. Finally, your organization may want to set aside time each year to wargame a data breach to practice your team’s response to various scenarios.
Governmental regulators and your insurers are watching, so being proactive on implementing a data breach response plan -- and training your staff on it -- is critical. Regulators are increasingly holding companies responsible for data breaches if they fail to properly protect customer data. Penalties for failing to sufficiently protect customer data, or to notify them of a data breach, can be significant. Additionally, insurance providers are requiring these types of plans and training in order for your organization to obtain cybersecurity insurance. Finally, company executives are being held personally responsible in lawsuits that allege that they failed to uphold their fiduciary duties to the company and protect it against financial and reputational damages that a data breach and an improper response can create. Therefore, it is not only necessary to create cybersecurity and data breach policies and procedures, but to also to regularly train your employees on those policies and procedures. If your organization needs assistance with the creation of and training on cybersecurity policies and procedures, please contact a member of Spilman’s Cybersecurity & Data Protection Practice Group for assistance. --- Alexander L. Turner
| |
“A complete recovery and restoration of services could be weeks away, the city said.”
Why this is important: A few weeks ago, the City of Dallas confirmed that it suffered a ransomware attack that impacted several internal IT systems and public-facing websites. The city still has not recovered from the attack, and it reports that it could take months before all systems are back online. Decoded regularly discusses ransomware and other cyberattacks on businesses, and it and its sister publication The Academic Advisor have reported on cyberattacks on educational institutions. This article and others on the Dallas ransomware attack highlight the dangers involved when threat actors target a city or other government units. In Dallas, jury duty, court hearings, and trials have been cancelled until further notice. The city’s municipal court can’t access payment systems. A large part of the city’s police network remains down. The last issue is particularly troubling given that the city is entering a season when crime rates typically increase. The problem does not end there. Even after all systems are back online, the city will face a huge backlog of information that needs to be input. At bottom, the article highlights some of the issues municipalities and other government units face when dealing with the fallout from a cyberattack, and the attack on Dallas should have other cities, counties, and states taking steps to ensure they don’t suffer the same fate. --- Nicholas P. Mooney II
| |
“A new ultra-thin skinpatch with nanotechnology able to monitor 11 human health signals has been developed by researchers at Monash University.”
Why this is important: Researchers at Monash University have developed an ultra-thin skin patch embedded with nanotechnology that can monitor 11 different human health signals. By combining nanotechnology and artificial intelligence, the team has brought machines closer to effectively communicating with the human body. The patch, worn on the neck, consists of three layers that measure speech, neck movement, touch, breathing, and heart rates. The research, published in Nature Nanotechnology, has the potential to revolutionize remote healthcare delivery and serve as the foundation for personal alarms and communication devices. The team also developed an AI technology called Deep Hybrid-Spectro, which can automatically monitor multiple biometrics from a single signal. The next step for the researchers is to personalize the sensors using sophisticated algorithms tailored to individual users. The patch utilizes laminated cracked platinum film, vertically aligned gold nanowires, and a percolated gold nanowire film, taking advantage of the sensitive nature of neck skin, which is connected to various physiological activities associated with the throat. --- Shane P. Riley
| |
“Recent high-profile settlements against telehealth companies show that the FTC is willing to enforce its Health Breach Notification Rule and hold entities accountable for noncompliance."
Why this is important: Telehealth has been a lifeline to many. Its usage has exponentially increased following the COVID-19 pandemic. The rise in the usage to telehealth has also raised questions regarding the safety of patients’ Protected Health Information (“PHI”). Recently, the Federal Trade Commission (“FTC”) entered into settlements with GoodRx and BetterHelp for improper health data sharing. The settlements included monetary fines and orders that contained corrective actions.
The FTC’s actions against GoodRx and BetterHelp were based on an October 2021 policy statement that health apps and connected device companies that collect health information must comply with the Health Breach Notification Rule. This Rule requires vendors of personal health records to notify the FTC, and in some instances the media, when they experience a data breach that includes patient PHI. Additionally, the FTC clarified in the policy statement that an entity sharing PHI without the patient’s authorization also triggers notification obligations. The FTC alleged that GoodRX shared PHI with advertising companies and platforms by utilizing a third-party tracking pixel software. This was in non-compliance with its own privacy promises. The FTC alleged this conduct constituted an improper sharing of PHI that required notification to the FTC. The FTC went on to allege that GoodRx’s failure to report these unauthorized disclosures violated the FTC Act. BetterHealth was accused of failing to maintain policies and procedures to protect patient PHI, and it did not obtain consent from customers to share their PHI.
The FTC plans to share some of the settlement funds with customers who were impacted by GoodRx and BetterHealth’s improper actions. This is seen as a way to circumvent HIPAA’s prohibition on private rights of action and allow victims to recover in the event of the improper use of their PHI. It also informs the industry that they have to comply with both HIPAA and FTC data notification rules. --- Alexander L. Turner
| |
“Celent estimates that global spending on risk management technology in financial services will reach $148.0 billion in 2026, up from $109.8 billion in 2023, a 10.5 percent compound annual growth rate.”
Why this is important: Some of the largest advances in leveraging data analytics for financial services have taken place during the past five years. As data continues to drive market initiatives, it will be absolutely essential for financial institutions to develop and implement more robust data management tools, particularly with cross-database analytics. Management teams should focus on implementing and developing protocols for regulatory compliance, operational resilience, financial cybercrime compliance, and emerging risk analysis. Many of these functions require and benefit from artificial intelligence-driven analysis. This is particularly helpful in compliance functions because AI protocols can accelerate an organization's efforts to de-silo operations and databases following a corporate restructuring, or more frequently a merger. --- Brian H. Richardson
| |
"How can schools stay on top of this rapidly changing technology? And how can educators separate hype from substance?"
Why this is important: As technology continues to advance at an unprecedented pace, it's not just ChatGPT that is making its way into schools. A multitude of AI technologies are finding their place in educational settings, revolutionizing the way students learn and teachers teach. However, staying on top of these rapid changes and discerning the real value of these technologies can be a challenge for schools and educators. To effectively navigate the ever-evolving AI landscape, schools need to prioritize ongoing professional development for teachers. Providing educators with the necessary training and resources to understand AI technologies and their potential applications in the classroom is essential. This can be achieved through workshops, conferences, online courses, and collaborations with AI experts. By investing in their teachers' knowledge and skills, schools can empower them to effectively integrate AI tools and platforms into their teaching practices.
Another crucial aspect is fostering a culture of critical thinking among educators. With the influx of AI technologies, there is bound to be much hype surrounding their capabilities. Educators need to be able to distinguish between genuine educational advancements and overhyped promises. This can be accomplished by encouraging teachers to engage in research, consult with experts, and evaluate the evidence-based impact of AI tools on student learning outcomes. By developing a discerning mindset, educators can make informed decisions about which technologies truly enhance educational experiences.
Collaboration and sharing best practices are also vital in keeping schools abreast of AI developments. Educators should be encouraged to join professional learning communities, both within their own school and across broader networks. These communities can serve as platforms for discussing AI technologies, exchanging ideas, and discovering innovative ways to implement them effectively. Additionally, schools can establish partnerships with technology companies and universities to access the latest research and receive guidance on integrating AI into their educational programs.
Furthermore, schools must prioritize student data privacy and security when incorporating AI technologies. As these tools often require collecting and analyzing student data, it is crucial to establish robust privacy policies and protocols. Schools should work closely with technology providers to ensure compliance with data protection regulations and to maintain the confidentiality of sensitive information. By safeguarding student privacy, schools can create a trustworthy environment that encourages the responsible use of AI technologies.
In conclusion, as AI technologies become increasingly prevalent in schools, educators and institutions must stay ahead of the curve. By investing in teacher professional development, fostering critical thinking, promoting collaboration, and prioritizing student data privacy, schools can successfully navigate the rapidly changing AI landscape. Ultimately, it is through a balanced approach, separating hype from substance, that schools can leverage the true potential of AI to enhance teaching and learning experiences. --- Kevin L. Carr
| |
“A.I. tools are convenient for creating text, images, and code--but keep in mind these legal concerns.”
Why this is important: Generative Artificial Intelligence, or Generative A.I., refers to A.I. that can create images, text, or other similar writings, including computer code, based on text input by a user. The recent explosion in popularity is leading all types of businesses to consider how they can use Generative A.I. to better operate and obtain a competitive advantage. What cannot be lost in this dash to incorporate Generative A.I. is the legal issues that it can involve. This article provides a summary of some issues and a starting point for businesses looking to adopt Generative A.I. into their operations. First, businesses should remember to fact check the A.I.-generated content. This issue can involve checking to ensure that the content is factually correct and also checking to ensure that the content is not proprietary information of another business. Second, businesses should be wary of using content to generate images that look like celebrities or fictional characters, well-known images, or trademarks. Content featuring these types of images might subject the business to claims of infringement, invasion of privacy, or the like. Third, businesses need to consider whether the content will be protected. Earlier this year, the U.S. Copyright Office issued guidance announcing that works containing material generated by A.I. may not be protected by copyright laws. Fourth, businesses need to take steps to protect their intellectual property. Because Generative A.I. involves information input by users, there is a risk that employees may input a business’s protected data into the A.I. platform where it may be stored and used to generate content for others. Fifth, businesses likewise need to take steps to protect their customers’ information, like account numbers and health information, and ensure that employees do not input it. The above list is not an exhaustive list of all of the potential legal issues Generative A.I. involves, but the article provides a good starting point for businesses to begin the discussion of how they can properly incorporate Generative A.I. into their operations. --- Nicholas P. Mooney II
| |
“She referenced the executive order President Joe Biden signed last fall, which formed a new national program to incentivize domestic biomanufacturing, specifically to create chemical compounds.”
Why this is important: Arati Prabhakar, the Director of the White House Office of Science and Technology Policy, discussed the Biden administration's focus on innovation in emerging technologies during a talk with the Milken Institute. While acknowledging the importance of the CHIPS Act in strengthening domestic semiconductor manufacturing and supply chains, Prabhakar emphasized the potential of biotechnology and biomanufacturing as an area for the United States to maintain its leadership. She highlighted President Biden's executive order to incentivize domestic biomanufacturing for chemical compounds, aiming to shift from traditional biological engineering and explore new chemistries and materials with implications for sustainable infrastructure.
Prabhakar also addressed the rise of artificial intelligence (“AI”) and the need for federal regulations to manage its risks. Enforcement agencies such as the FDA, DOJ, and FTC are working to prevent bias in AI systems used in critical infrastructure. The administration intends to hold corporations accountable for ethical AI use and ensure civil rights are not violated. Prabhakar mentioned that the Office of Science and Technology Policy is working closely with senior colleagues to provide guidance, ethical values, and information regarding AI.
These remarks followed President Biden's FY2024 budget request, which includes over $200 billion in federal research and development investment, the largest ever. Prabhakar sees this as representative of the administration's commitment to fostering innovation and technological advancement. Firms in this field should be paying close attention to the new guidance and regulations coming from the Office of Science and Technology Policy in this area moving forward. --- Shane P. Riley
| |
"To help strike that balance, UC has created a liaison between the school’s information security and research leaders, making the school one of several that are creating new systems to shore up cybersecurity for research projects."
Why this is important: Protecting academic research from theft or ransom is of paramount importance to colleges and universities. With academic researchers collaborating with research partners at other academic institutions or in industry, the risk of a data breach or ransom attack is high. One data breach or ransom attack could not only delay a research project, but it can also result in lost data, compromised data, and lost funding. In response to this threat, academic institutions have implemented both common sense tools, including anti-virus software, encryption, and multifactor authentication, along with novel approaches to encourage researchers to adopt cybersecurity as a fundamental part of their research protocols.
Traditionally, academic researchers have been wary of a school’s cybersecurity team because they perceive the academic institution’s cybersecurity professionals as an obstacle to easy communication and transfers of information. Cybersecurity professionals are working hard to change this perception by implementing innovative new approaches to cybersecurity in order to facilitate widespread acceptance. The University of Cincinnati has instituted a program of connecting research teams with information security professionals, including the creation of a committee that is mostly staffed by researchers to make sure that the University’s projects comply with National Institute of Standards and Technology security standards and guidelines. Indiana University has created an opt-in cybersecurity program that has seen enthusiastic acceptance because researchers and security professionals work together to create a cybersecurity plan that integrates current workflows. UC Berkeley is working to prevent researchers from implementing their own cybersecurity work-arounds by collaborating with them early in the research process and by creating research specific cybersecurity services. By intervening early in the research process, and by not utilizing a one-size-fits-all approach, these higher education cybersecurity professionals have seen that 80 percent of the cybersecurity problems researchers are having can be solved in a few minutes. The key to adoption is focusing on a positive message that explains how cybersecurity protocols can help researchers preserve their research instead of being perceived as an obstacle to advancement. --- Alexander L. Turner
| |
"To control cybersecurity costs, districts get creative: adopting emerging solutions, relying on external support and developing in-house expertise."
Why this is important: Schools are emerging as a prime target for ransomware attacks and other cybersecurity events. Some of the reasons for this are due to budget shortfalls, operating with older equipment and lacking up-to-date cybersecurity protections. As a result, threat actors have found them to be an attractive target. The U.S. Government Accountability Office recently reported that cyberattacks on school districts caused learning losses ranging from three days to three weeks. Complete recovery took as long as nine months. The financial harm ranged from $50,000 to $1 million per school district.
The fact that schools are increasingly targeted by threat actors has led schools and districts (like nearly everyone else) to pay increasing attention to bolstering cybersecurity protections. Those protections come at a cost. What does a school or district do when it lacks the funds to adopt best-in-class protections? This article discusses some of the ways that smaller schools and districts and those with smaller budgets have adopted creative solutions to get the best cybersecurity protections without breaking the budget. Some have petitioned government agencies to increase funding for cybersecurity solutions. The article also discusses at length the success one Texas district had in creating a consortium encompassing 120 members. It purchased cybersecurity protections and retained professionals at the district level for use by all of its members. This allowed them to benefit from high-volume purchases and the price discounts. Hiring virtual Chief Information Security Officers (“CISOs”) is another cost-effective solution that schools and districts have implemented. Hiring a full-time CISO requires them to compete with the private sector to attract and retain CISOs at a time when they are in high demand. Hiring a virtual CISO allows them to have a resource available when needed at a fraction of the cost. Finally, schools and districts are finding it helpful to make cybersecurity part of everyone’s mindset. Focusing on security makes it front of mind for everyone and may reduce the number of cybersecurity incidents schools and districts experience.
At bottom, cybersecurity protections are a must, and they come at a cost. When a school or district has budget constraints that affect those protections, they should consider creative solutions to help them employ the most up-to-date solutions. This article provides some ideas those schools and districts should consider. --- Nicholas P. Mooney II
| |
“Digitization and online banking will help the community banking sector grow substantially over the next five years.”
Why this is important: Over the next five years, analysts are forecasting 5 percent growth in the community bank market share of overall banking services. If 5 percent seems comparatively small, consider the dollar comparison represented by that share: $207 billion. Community banks have many factors on their side as they continue this growth curve. First, their size allows them to be more nimble in implementing technologies, or changing course. In many instances, this is accomplished by strategic partnerships, such as the partnership recently announced by First Fidelity Bank and its prospective fintech partner Unifimoney, which is driving growth of its digital and online offerings, as one example. Fintech partnerships and other technological developments can help community banks continue on growth trajectories. Alternatively, for those that may be struggling with consumers departing for more non-conventional banking options and fintech startups, it can help stem that tide as they become better equipped to meet customer demand. Strong online offerings appear to be a major driving force in the growth of community banks, and will continue to drive that progress over the coming five-year cycle. --- Brian H. Richardson
| |
“Ransomware attacks targeted the education sector more than any other industry in the last year, with 79% of surveyed higher education institutions across the world reporting being hit, according to an annual report from Sophos, a U.K.-based cybersecurity firm.”
Why this is important: This article discusses a recent report by the U.K.-based cybersecurity firm Sophos regarding cybersecurity events and ransomware attacks directed at education institutions. Sophos’ report found that 79 percent of the higher education institutions it surveyed around the world reported being hit by at least one attack in the past year. Of those, 59 percent reported the attack resulted in them losing “a lot of” business and revenue. The leading cause of these attacks was system vulnerabilities, which was reported in 40 percent of the attacks. The second most common cause was compromised credentials. Though unsaid in the article, compromised credentials commonly result from phishing (or other similar) attacks or social engineering. This confirms the need for increased training and attention focusing on credential security.
One of the reasons education institutions are a target of threat actors results from the student data they hold. In one event late last year, the attacker group broke into a college’s system and accessed data about 63,000 students. To ramp up the pressure on the college to pay ransom, the group communicated directly with the students whose data it accessed. It sent an email to students that detailed the types of data it accessed (including medical records and psychological assessments) and then told them “To us, this is a normal business day. For you, it’s a sad day where everyone will see your personal and private info.” It’s easy to imagine the students’ and parents’ reaction to this and the resulting clamor to the school to resolve the attack. In fact, in that instance, the attack caused multiple students to file lawsuits against the college, alleging that it failed to have in place up-to-date security protections. In the end, the Sophos report is a much-needed reminder that ransomware events are still a major threat to education institutions. --- Nicholas P. Mooney II
| |
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.
Responsible Attorney: Michael J. Basile, 800-967-8251
| | | | |