1. Overview of the regulatory issues facing companies—and cyber insurers—that may need to respond to ransomware emanating from a threat actor or group with potential ties to entities on federal lists.

The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) administers and enforces economic sanctions programs against countries and groups of individuals, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals.  As part of its efforts, OFAC maintains a consolidated sanctions list (the “OFAC List”), which includes Specifically Designated Nationals and Blocked Persons, as well as other sanctions lists.  OFAC has listed ransomware organizations on the OFAC List, and payment to those organizations would be a violation of economic sanctions laws.  Fines for violations vary depending on numerous factors and are updated annually, but civil and criminal penalties can exceed millions of dollars.

Payment of ransoms could also implicate laws relating to designated Foreign Terrorist Organizations (“FTOs”) and “Specifically Designated Global Terrorists” (“SDGTs”).  Pursuant to 18 U.S.C. 2339B, monetary contributions are to an FTO are considered material support.  Transfers of money to SDGTs are violations of economic sanctions pursuant to the International Emergency Economic Powers Act.

Finally, depending on how it structures the payment, payment of ransoms could put a company in a position where it may be in violation of anti-money laundering laws.  For example, payment of a ransom could put a company at risk of being categorized as a “money service business” (“MSB”) under the Bank Secrecy Act (“BSA”) and Treasury Department regulations.  MSBs must register with the Treasury Department, and they are subject to a complex array of laws and regulations designed to combat money laundering.  The Treasury Department (through the Financial Crimes Enforcement Network, or “FinCEN”)) and the Department of Justice can enforce through civil and criminal prosecutions.

  1. How does the level of certainty relating to threat actor attribution play into potential liability?

OFAC has not issued guidance specifically addressing what level of certainty applies when assessing attribution of an attack to a threat actor or a threat actor’s affiliation with a blocked entity.  However, regulatory framework and guidance indicate that enforcement decisions will be made on a case-by-case basis, and a company may be able to mitigate liability through its overall compliance regime.  OFAC’s Economic Sanctions Enforcement Guidelines (the “Guidelines”) give it the authority to investigate “apparent violations,” defined to mean any conduct that constitutes an “actual or possible violation of U.S. economic sanctions laws.”  31 CFR App’x to Part 501, I.A.  OFAC therefore likely has the authority to investigate payments to blocked threat actors—even without certainty that the attack is attributable to that blocked group—as it could constitute a “apparent violation.”

Under its Framework for OFAC Compliance Commitments (the “Framework”), OFAC “strongly encourages organizations . . . to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).”  Components of an SCP include performing risk assessments, using sanctions screening software or filters,  conducting due diligence on customers/clients, and scrutinizing of non-traditional business methods.  While none of these components directly speak to threat actor attribution standards, they all demonstrate that OFAC will look whether a company is implementing procedures that generally lower the likelihood of payments to a blocked entity.

With respect to material support statutes, the standard for attribution would likely include an actual “knowledge” component—i.e., a company could only be found to have materially aided the FTO if it had actual knowledge that the threat actor was part of the FTO.  See 18 USC 2339B(a)(1) (“To violate this paragraph, a person must have knowledge that the organization is a designated terrorist organization . . .”).  It therefore appears that, in order to be liable for providing material support to an FTO, a company must know that an attack is attributable to a threat actor that is designated as or affiliated with an FTO.

  1. What can a company do during the IR negotiation process to avoid the regulatory pitfalls?

Even before the incident response process, companies can mitigate OFAC liability risk by implementing a documented SCP.  At the very least, having an SCP can help position companies for more favorable treatment by OFAC if the company pays a ransom to a blocked entity.  See Framework at 1 (“When applying the Guidelines to a given factual situation, OFAC will consider favorably subject persons that had effects SCPs at the time of an apparent violation.  . . . OFAC may consider the existence, nature, and adequacy of an SCP, and when appropriate, may mitigate a [civil monetary penalty] on that basis.”).

During the IR negotiation process, companies should ensure that they enlist the help of experienced legal counsel and specialized recovery firms.  Recover firms should be registered with the Treasury Department and capable of paying the ransom without violating the BSA or other anti-money laundering laws.  They will also have cryptocurrency readily available to avoid logistical delays, as well has have up-to-date information on the OFAC List and developing knowledge on threat actor attribution—including changes in modus operandi, updating of the OFAC List, and mergers between threat actor groups.

Earlier this month, the Federal Trade Commission (FTC) announced a $10 million settlement with the online learning company ABCmouse for allegedly violating the FTC Act as well as the Restore Online Shoppers’ Confidence Act (ROSCA). The FTC Act prohibits unfair or deceptive acts or practices in or affective commerce. ROSCA makes it illegal to automatically charge consumer for products sold online unless the seller clearly discloses the material terms of the transaction before obtaining the consumer’s billing information; obtains the consumer’s express informed consent before making the charge; and provides simple mechanisms to stop recurring charges.

ABCmouse is an online learning tool that offers memberships to access content. The FTC alleged that ABCmouse violated ROSCA by offering memberships to their services, but did not disclose that the memberships would automatically renew indefinitely. Similarly the FTC claimed that ABCmouse offered a free trial with the option to extend membership beyond the trial period, but did not disclose that at the end of the free trial the membership would automatically renew indefinitely.

The FTC also claimed ABCmouse did not offer consumers a simple way to stop the automatic renewal, despite offering “easy cancellation” when the user enrolled in their membership. The FTC alleged that more than 100,000 users attempted to cancel their services with ABCmouse. Those users who tried to cancel were required to participate in a lengthy process to stop the automatic renewals and some users found that even after they had tried to cancel their membership, the charges did not stop. Additionally, ABCmouse did not make the required disclosures to their users about the automatic renewals, the ability to cancel the automatic renewals, or the deadline by which they would need to cancel their membership in order to avoid unwanted charges.

ABCmouse has agreed to the FTC’s settlement which requires ABCmouse to:

  • Not misrepresent any automatic renewals;
  • Make required disclosures about the automatic renewals and a user’s ability to cancel;
  • Obtain express informed consent for automatic renewals; and
  • Provide a simple mechanism to opt out of the automatic renewals.

The FTC warned in its blog post about the ABCmouse settlement that because of COVID-19, it is more important now than ever that companies that rely on automatic renewals do so legally. More people are signing up for subscriptions services that they may no longer wish to have once things return to normal. It is important for companies that use automatic renewals follow the requirements of ROSCA as well as any state laws surrounding automatically renewals so that consumers may stop the automatic renewals at any time. For more information about automatic renewals, see our previous blog post which details both the federal and state requirements for automatic renewals.

With the rise of the digital world, many estate planning clients have accumulated large collections of “digital assets” that are stored online. In its simplest form, a “digital asset” is a non-physical asset that exists online in electronic format. Most clients preserve digital assets either for their sentimental value or their financial value. Examples of digital assets which are preserved for their sentimental value include digital photos, music, movies, eBooks, information and documents stored on cloud accounts, subscriptions, smart-phone applications as well as data stored on these applications, and social media accounts. On the other hand, digital assets that are held for their financial value include cryptocurrencies, bank accounts or investment accounts, credit card rewards, income-generating websites or blogs, digital videos or written works that produce income, email accounts and digital copyrights or trademarks. Today, digital assets form a greater part of the estates of estate planning clients than in the past.

With the increase in ownership of digital assets, the threat of cybercrime is more pronounced. Cybercriminals hack into online user accounts to steal information that can be sold on the black market, and they also target online investment accounts that can produce substantial financial gain. For instance, recently in New York, a couple unintentionally wired a $1.9 million down payment for a business to cybercriminals who had hacked into the couple’s email account, learned of the transaction, and created fake wire transfer instructions. A 2019 survey conducted by Morgan Stanley revealed that cybersecurity risk is one of the major concerns for high net worth individuals. High net worth individuals, in particular, therefore seek attorneys who can help manage and protect their digital assets and who can help navigate the legal framework that controls digital assets.

Although the legal treatment of digital assets varies from state to state, there are certain statutes that protect digital accounts from cybercrime. For example, the Computer Fraud and Abuse Act (CFAA) protects digital accounts by criminalizing the intentional access of a computer system without authorization. The Stored Communications Act (SCA) also prohibits the intentional access of an electronic communication without authorization. Violation of the CFAA and the SCA is punishable by imprisonment and a fine. In addition, about 45 states, including Pennsylvania, have adopted the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), which allows fiduciaries such as agents under powers of attorney, executors, guardians and trustees to access a client’s digital assets upon the client’s incapacity or death. In the absence of RUFADAA, it would have been more difficult for fiduciaries, particularly executors, who have a duty to protect a client’s assets, to collect digital assets upon a client’s death or incapacity. Digital assets that live “on the cloud” unclaimed and unmonitored by their owners often fall prey to cybercrime.

In addition to helping clients navigate the laws that govern digital assets, estate planning attorneys can assist their clients in taking proactive steps to protect their digital estate. First, estate planning attorneys should encourage their clients to create a memorandum that lists their digital assets and provides instruction on how each asset can be accessed. This memorandum may be stored in the client’s safe deposit box or vault and should be regularly reviewed and updated. Clients may also store the log-in information for their online digital accounts on secure password storage websites. In addition, estate planning attorneys should work with their clients to detail in their estate planning documents how they would want their fiduciaries and heirs to access and manage their digital assets in case of their incapacity or death. For instance, a client may authorize the executor to hire the appropriate experts who can assist the executor to properly manage and distribute the digital assets in the client’s estate.

In today’s high-tech, digital world which is threatened by different forms of cybercrime, digital asset planning and protection is an important way for estate planning attorneys to provide additional value to their clients. Estate planning attorneys can draft estate planning documents that address the management, protection, and the secure distribution of digital assets. In addition to navigating a legal system that can be somewhat sophisticated, estate planning attorneys can help clients implement proactive measures to preserve their digital assets.

The Office of Civil Rights of the U.S. Department of Health and Human Services has issued guidance clarifying how HIPAA’s Privacy Rule permits covered entities (in particular, health care providers and health plans) or their business associates to contact former COVID-19 patients about plasma donation to treat or potentially treat patients. The guidance follows the FDA’s approval of blood plasma with COVID-19 antibodies to treat current COVID-19 patients.

The guidance observes that covered entities under HIPAA may also use former COVID-19 patients’ protected health information (PHI) for certain health care operations purposes that are not related to the care of that particular patient. For example, a covered entity may use and potentially disclose such PHI if it would help that entity with the case management of current COVID-19 patients.

However, the guidance also addresses the limits that apply to the use or disclosure of such information.  Specifically, a covered entity or its business associate may not disclose or use the COVID-19 patients’ information on behalf of a third party. In particular, covered entities need to be careful not to use or disclose PHI for marketing purposes, which may happen, for example, if PHI is used or disclosed to encourage former COVID-19 patients to make a donation at a particular blood or plasma donation center.

In the case of health care operations, covered entities must also make reasonable efforts to use or disclose only the minimum amount of PHI necessary for the particular purpose.

On August 19, 2020, the United States District Court for the Northern District of California granted preliminary approval of the class action settlement in In re Facebook Biometric Information Privacy Litigation, 3:15-cv-03747-JD.  If the settlement receives final approval, Facebook would pay $650 million to Illinois class members as compensation for violations of the Illinois Biometric Information Privacy Act (“BIPA”)—a $100 million increase from the settlement proposal that the District Court denied earlier this year.

The case arose from allegations that Facebook violated BIPA by collecting and storing class members’ biometric data in the form of scans of their faces without prior notice or consent.  Facebook harvested the scans in connection with its “Tag Suggestions” program, which looks for and identifies people’s faces in photographs uploaded to Facebook to promote user tagging.  BIPA provides statutory damages of up to $1,000 per negligent violation and up to $5,000 per intentional or reckless violation.  Plaintiffs estimated that millions of Illinois residents were Facebook users whose biometric data had been collected in violation of BIPA.

As the Court recognized, the case was “fiercely litigated” for over five years, with fights on standing, summary judgment, and class certification.  Notably, during the pendency of an interlocutory appeal to the Ninth Circuit, the Illinois Supreme Court largely adopted the District Court’s pro-plaintiff interpretation of BIPA in its 2019 Rosenbach v. Six Flags Entm’t Corp. decision.  Just as the case was about to be set for a jury trial, the parties advised the District Court that a settlement in principle had been reached, pursuant to which Facebook would pay $550 million.  However, on June 4, 2020, the District Court denied the parties’ request for preliminary approval, citing concerns about an unduly steep discount on statutory damages under BIPA and the sufficiency of notice to class members.

After renegotiating, the parties asked the District Court to grant preliminary approval for a new agreement, pursuant to which Facebook agreed to pay $650 million into a non-reversionary cash fund.  The District Court conducted an evidentiary hearing on July 23, 2020, and thereafter granted preliminary approval.  In doing so, the District Court noted that the additional $100 million “substantially allays the Court’s concerns about the potential inadequacy of payments to class members in light of BIPA’s statutory penalties.”  The District Court also approved the notice to class members, which includes email notice, Facebook news feed notice, publication notice, a settlement website, targeted internet ad campaigns, and CAFA notice.  A final approval hearing is set for January 7, 2021.

The Facebook settlement should serve as a reminder to take BIPA compliance seriously.  While the scale of Facebook’s users makes the settlement newsworthy, the lessons apply to businesses of all sizes—if you collect biometric data from Illinois consumers or employees, you must obtain written consent prior to collection and comply with other obligations.  Failure to do so renders you at risk of a class action for statutory damages and attorneys’ fees.

On August 14, 2020, the California Office of Administrative Law (“OAL”) approved in part and withdrew in part the Regulations regarding the California Consumer Privacy Act (“CCPA”).  While most of the changes are non-substantive, the OAL withdrew certain provisions of the Regulations and resubmitted them to the Attorney General’s Office for further review.  Approved sections went into effect immediately.

Among the more notable provisions withdrawn was 999.305(a)(5), which would have required businesses to obtain express consent from consumers before using previously collected information for a materially different purpose.  Rather than obtaining express consent, businesses must comply with Section 1798.100(b) of the CCPA, which prohibits businesses from using personal information “collected for additional purposes without providing the consumer with notice consistent with this section.”  Because initial notice can generally be accomplished through an online privacy policy, it appears that updates to an online privacy policy may suffice if a business intends to start using previously collected personal information for an additional purpose.

The OAL also made three changes relating to consumers’ opt-out right:  (1) withdrawing a provision that required businesses that substantially interacted with consumers offline to provide notice of the right to opt-out via an offline method; (2) withdrawing a provision that required businesses to make the opt-out process to be “easy” and “require minimal steps”; and (3) requiring businesses to entitle their opt-out page as “Do Not Sell My Personal Information” as opposed to “Do Not Sell My Info.”  While the latter change is non-substantive, it is a concrete change that many businesses may need to make.

Finally, while much has been made of the OAL’s withdrawal of a provision stating that businesses may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer (previously Section 999.326(c)), that may be a change without practical effect.  Indeed, Section 999.326(a)(1) still allows businesses to require that a consumer provide the authorized agent with signed permission to submit requests to know or delete.  And, similarly, Section 999.315(f) allows businesses to deny a request to opt-out submitted by an authorized agent if the agent cannot provide to the business the consumer’s signed permission.  Accordingly, it appears that businesses arguably may be able to deny requests if they are unable to verify that an authorized agent has a consumer’s written permission to submit requests on their behalf.

Under California law, the Attorney General’s Office has one year to resubmit withdrawn sections after further review and possible revision.  Whether or not the Attorney General’s Office revises and/or resubmits those provisions will likely be influenced by whether the California Privacy Rights Act is passed on the upcoming ballot.

On July 13, 2020, the Federal Trade Commission (FTC) held a workshop titled “Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule.” This workshop discussed the proposed amendments to the Gramm-Leach-Bliley Act’s (GLBA) Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. The GLBA Safeguards Rule has not been updated since it went into effect in 2003. The workshop explored the cost of information security for financial institutions, the availability of information security services for smaller financial institutions, and other issues raised in comments received in response to the FTC’s notice of proposed rulemaking.

During the workshop, FTC staff provided the following insights into the proposed amendments to the GLBA Safeguards Rule:

  • Designate one qualified individual to be responsible for overseeing the information security program. Although the term Chief Information Security Officer (CISO) is used in the proposed amendments, the FTC staff clarified that the qualified person does not necessarily need to carry the title of a CISO. The FTC staff noted that the necessary qualifications for the responsible individual will likely be dependent on the information security needs of each financial institution.
  • Base the information security program on a written risk assessment that must include certain criteria for determining risk and address how the information security program will address those risks. The FTC staff expressly stated that there is an expectation that risk assessments are to be done on a routine basis; financial institutions cannot complete a risk assessment one time and then never again.
  • Provide security awareness training to personnel. The FTC staff recommended that all employees receive basic security training, but information security personnel should receive more in-depth security training. The FTC staff noted that financial institutions may use a third party service provider to conduct these trainings.
  • Implement an information security program that includes access controls, developing information inventories, implementing secure development practices, conducting audits, implementing secure disposal requirements, developing change management procedures, and monitoring the activity of authorized users. The FTC staff emphasized that it is up to the financial institution to determine how to implement the various requirements and that each financial institution should be free to choose a solution that works best for each financial institution’s respective information security program.
  • Implement encryption and multifactor authentication. The FTC staff indicated their belief that financial institutions should have the flexibility to determine how to implement encryption and multifactor authentication. However, the FTC staff noted that in the event it is not feasible for a financial institution to implement encryption or multifactor authentication, the financial institution should come up with alternative controls that have been reviewed and approved by the qualified individual in charge of the financial institution’s information security program.
  • Financial institutions that maintain information about fewer than 5,000 consumers would be exempted from most of the written requirements. The FTC staff explained that the exception was written so that small financial institutions with small budgets that have access to tens of thousands of consumers’ data are still expected to implement security controls that are appropriate to the amount of data they are collecting, not necessarily to the size of their business.

The deadline to submit comments about the proposed amendments to the GLBA Safeguards Rule is August 12, 2020. Financial institutions that are subject to the GLBA Safeguards Rule should review their current information security program in light of the proposed amendments to determine how any changes may affect their information security programs.

On July 16, 2020, the European Court of Justice (Court) ruled in the “Schrems II” case that the one of the most commonly used cross border data transfer mechanisms between the European Union (EU) and the United States (US), the EU-US Privacy Shield Framework (Privacy Shield), has been invalidated. The Court reasoned that when transferring European data subjects’ personal data to a third country, the business in the third country must be able to protect this personal data with roughly the same level of protection that the personal data is guaranteed to have within the EU by the General Data Protection Regulation (GDPR). However, the Court said there should also be an assessment of how the third country’s legal system and public authorities plan to access the personal data and whether this access affords the necessary protections guaranteed within the EU.

The Court found that the surveillance laws in the U.S. allow for the U.S. government to access the personal data of Europeans that is transferred to the U.S. and that the Privacy Shield does not protect Europeans’ personal data from such U.S. government surveillance. Furthermore, the Court found that Europeans are not afforded the right to bring actions in U.S. courts to prevent this type of access as they could in the EU. Therefore, the Court ruled that the adequacy decision that forms the basis for the Privacy Shield is invalid, because the Privacy Shield is not able to offer Europeans an equivalent level of protection as they would be entitled to in the EU. This means those businesses that currently rely on the Privacy Shield, which includes over 5,000 active participants, will need to find an alternative mechanism to transfer personal data from the EU to the US.

By contrast, the Court upheld one of the other mechanisms of transfers to the U.S.—the standard contractual clauses, which Schrems had also challenged. The Court reasoned that while standard contractual clauses do not bind the authorities of third countries—and therefore does not suffer from the same deficiencies as Privacy Shield—the data exporter and the data importer are both required to verify, prior to the transfer, whether the data importer can afford data subjects appropriate safeguards, enforceable rights, and effective legal remedies. On that basis, the Court found that the standard contractual clauses adequately protects personal data with roughly the same level of protection that personal data is guaranteed to have by the GDPR.

In a press conference given by the European Commission, Věra Jourová, Vice-President for Values and Transparency, highlighted that the European Commission is working to modernize the standard contractual clauses and the requirements of this ruling will be incorporated into any future updates of the standard contractual clauses. Jourová also commented that businesses can still rely on binding corporate rules for the transfer of personal data from the EU and the US.

Businesses that are currently Privacy Shield certified should start examining different transfer mechanisms as an alternative to Privacy Shield. Whether they chose to use standard contractual clauses or binding corporate rules, businesses that transfer EU data to the U.S. must adopt appropriate safeguards, enforceable rights, and effective legal remedies to data subjects whose information they receive.

The Financial Crimes Enforcement Network (“FinCEN”) just issued another Advisory pertaining to two consumer fraud schemes exacerbated by the COVID-19 pandemic. This Advisory focuses on “imposter schemes” and “money mule schemes, ”which we discuss below.

This most recent Advisory is the latest in a string of pronouncements relating to the pandemic by FinCEN, which has stated that it regularly will issue such documents. As we have blogged, FinCEN issued an Advisory on May 18 regarding medical scams related to the pandemic, and issued a companion Notice that “provides detailed filing instructions for financial institutions, which will serve as a reference for future COVID-19 advisories.” On April 3, 2020, FinCEN also updated its March 16, 2020 COVID-19 Notice in order to assist “financial institutions in complying with their Bank Secrecy Act (“BSA”) obligations during the COVID-19 pandemic, and announc[ing] a direct contact mechanism for urgent COVID-19-related issues.”

The most recent Advisory again provides a list of potential red flags that FinCEN believes that financial institutions should be monitoring for, in order to detect, prevent, and report such suspicious activity. As we previously have commented: although such lists can be helpful to financial institutions, they ultimately may impose de facto heightened due diligence requirements. The risk is that, further in time, after memories of the stressors currently imposed by COVID-19 have faded, some regulators may focus only on perceived historical BSA/AML compliance failures and will invoke these lists not merely as efforts by FinCEN to assist financial institutions in deterring crime, but as instances in which FinCEN was putting financial institutions on notice.

Further, the most recent Advisory suffers from the fact that its list of red flags for imposter schemes is best directed at consumers themselves, rather than at financial institutions offering services to consumers: many of the red flags pertain to anomalies in the communications sent directly by fraudsters to targeted consumer victims – information that financial institutions rarely possess. Continue Reading FinCEN Issues Advisory on COVID-19 and Imposter and Money Mule Schemes