December 15, 2022


Welcome to the 24th and final issue of Decoded for the year.

As we come to the end of 2022, we invite you to provide us any feedback regarding issues you would like us to revisit. Is there a topic that you find interesting and could use some guidance? Would you like our opinion about a particular issue or case? Please email us your thoughts and we will include them in our 2023 planning.

We wish you and yours a wonderful holiday and a prosperous new year!

We hope you enjoy this issue and, as always, thank you for reading.

Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group


Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

North Carolina Power Outage Points to Homeland Security Long-Documented Threats to US Power Grid

“Moore County blackouts serve as reminder that nation’s electricity infrastructure could be vulnerable targets for domestic terrorists.”

Why this is important: This article reports on a power outage resulting from a physical attack on a power substation in North Carolina, leaving tens of thousands in Moore County without power. The attack in this case, while physical, reminds everyone of the warnings by the Department of Homeland Security and other government agencies of the vulnerability of critical infrastructure, including vulnerability to cyberattacks. While cybersecurity standards for the electric grid have been approved by the Federal Energy Regulatory Commission, there still is much work to be done to ensure that those standards address all of the current potential cyber vulnerabilities. In response to the attack discussed here, FERC and other government agencies have recommended utilities implement additional security measures. This article is important in showing us that, while a lot of attention is being paid to fixing the cybersecurity vulnerabilities of the country’s power grid, preventing physical attacks cannot be forgotten. --- Nicholas P. Mooney II

New Technology Could Increase Scan Speeds of Three-Dimensional MRIs

“The invention could lead to faster results, increase the clinical applications of MRIs, and ultimately improve patient care.”

Why this is important: Dr. Nicholas Dwork of University of Colorado School of Medicine has filed a provisional patent for a method of adjusting the sampling pattern created by a magnetic resonance imaging (“MRI”) machine’s magnetic fields using pulse sequence diagrams, which may be able to reduce scan times drastically. With scan times estimated to be reduced by 25 percent, doctors would have access to faster results, patients would have to spend less time in the machine, and the potential for broader use of MRI would greatly increase. While MRIs for pregnant people and young children are generally considered safe, they are often avoided. With reduced time in the machine and less exposure to the scan, patients, especially children, may have an easier time staying still so a high quality and useful image can be produced. Dwork’s technology appears to be a win-win for doctors and patients and shows the importance of biomedical informatics in increasing the quality of healthcare. --- Shane P. Riley

New Class Action Litigation Aimed at Website Chat Features

“Recently, a spate of class action lawsuits has been filed in California state and federal courts asserting violations of section 631(a) of the California Invasion of Privacy Act, claiming that website operators are intentionally wiretapping or eavesdropping on users by recording and sharing information gathered during use of the site’s chat feature without user consent.”

Why this is important: Collecting data from a California customer’s use of the chat feature on your website without first obtaining the customer’s permission may constitute a violation of Section 631(a) of the California Invasion of Privacy Act (“CIPA”). Under the CIPA, it is illegal to record conversations unless everyone involved in the conversation consents first. In response to a violation of the CIPA, a California customer can bring a private cause of action. Recently, a number of class action lawsuits have been filed under the CIPA related to allegations that website operators are recording and sharing information gathered without permission from California customers who use the websites’ chat features. The plaintiffs in these cases allege that websites are embedding third party code into their websites that allows third parties to intercept or eavesdrop on customer’s webchats. The impetus for these suits is the Ninth Circuit’s recent decision in Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022). In that decision, the Ninth Circuit held that obtaining user consent after collecting the customer’s personal information did not defeat wiretapping claims under the CIPA. Even though the issues in Javier did not involve the collection of information through a website’s chat feature, the plaintiffs in these webchat class actions argue that the holding in Javier requires website operators to obtain customer permission before recording or sharing information obtained through the website’s chat function. Plaintiffs’ lawsuits also include claims that web operators’ use of session replay software, which record the keystrokes, mouse clicks, and data entry of every visitor interaction on the website, also constitute violations of the CIPA. Courts throughout the country are split on whether this type of data constitutes wiretapping. What is clear is that the law of data privacy is constantly evolving. If you would like help navigating the ever-changing landscape of U.S. privacy law, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner

US Senators Ask SoFi About Its Banking Law Compliance

“Four U.S. senators have signed a letter to SoFi Technologies CEO Anthony Noto expressing concerns about the online personal finance company and online bank’s digital asset trading activities and asking if it is working to conform them to U.S. banking law.”

Why this is important: SoFi Technologies, Inc. is a finance company that offers many nonbank services, but also allows some “deposits” or investments to be held in digital currency (including cryptocurrency). According to its own website, it is “A one-stop shop for your finances.” Its status as a nonbank allowed it to ignore in many respects U.S. bank law. In February 2022, SoFi acquired Golden Pacific Bancorp, Inc., a California bank holding company. Part of the company now holds actual bank deposits. That means that, even though the bank is held separately and, to some extent walled off from SoFi’s former nonbanking activities, the entire organization now is subject to U.S. banking law and review/examination by the Federal Reserve. Four U.S. senators (all Democrats) have questioned whether SoFi’s connection to cryptocurrency and other activities are consistent with operating a U.S. bank holding company. This will be interesting to watch, because SoFi’s former business plan previously worked well by staying out of regulatory crosshairs. This may set a sort of standard for dealing with these hybrid entities. It also may set guidelines for how far traditional banks – BOA, Chase, Truist, etc. – may go in offering non-traditional, non-bank products.  

My colleague, Brian Richardson, pointed out that SoFi had a recent unforced error that may help the regulation proponents. The company sent out an email to their full mailing list regarding clients’ mandatory IRA distributions for 2022. The problem was that it went out to all the mailing list, including people who had never set up an IRA or even an account. People who had merely submitted an inquiry on the website received the same message. This caused some confusion. A few hours later, the company sent a second email that basically said, “Whoops! We’re not phishing you, we just made a mistake! Your data is still safe with us!” That’s probably the right message, but the incident still may add fuel to the “more regulation” argument. --- Hugh B. Wellons

FTC Probes ‘Possible Misconduct’ in Cryptocurrency Advertising

“Additionally, the agency enforces laws that require truth in advertising, including rules that individuals disclose when they have been paid for endorsements or reviews.”

Why this is important: This article adds to the news of recent investigations and charges involving people in the cryptocurrency world. The FTX cryptocurrency exchange recently collapsed. Its CEO, Sam Bankman-Fried, has been arrested in the Bahamas and charged by U.S. authorities with fraud. He intends to fight extradition. Celebrity endorsers of the exchange like Tom Brady and Steph Curry are getting caught up in the scandal as regulators have announced investigations into whether they violated securities laws. The Federal Trade Commission recently announced that the FTX saga isn’t the only crypto investigation. It announced that it has launched an investigation against “several unnamed crypto firms” regarding alleged “deceptive or misleading crypto advertising.” This issue (and the ongoing problems FTX, its CEO, and celebrity endorsers are facing) shows again that the cryptocurrency world isn’t the wild west and that regulations, whether they be Know-Your-Customer rules, securities regulations, laws regarding fraud or misleading advertising, or other rules, are being applied by regulators, sometimes even with criminal charges. --- Nicholas P. Mooney II

BlockFi Files for Bankruptcy Amid FTX Contagion

“The crypto lender has initiated a cost-cutting plan that involves ‘major layoffs,’ according to Decrypt.”

Why this is important: This bankruptcy filing represents the initial ripple of what could become a wave as cryptocurrency companies reevaluate their positions in the downstream fallout from the recent FTX collapse. Multiple cryptocurrency exchanges halted transactions in mid-November during the initial fallout from the FTX bankruptcy filing. Among the “first day” motions in the BlockFi bankruptcy case was a key employee retention plan that contemplates major layoffs in an effort to reduce ongoing operating costs and streamline the business going forward. We expect to see further protective actions taken by other companies in the crypto markets, though this is not the first instance of crypto companies going through the bankruptcy process. A Virginia Beach-based bitcoin mining operation filed for chapter 11 bankruptcy in the spring of 2019. Bankruptcy courts are becoming well-equipped to address the variety of issues presented in restructurings for crypto companies. Interested parties should pay attention to these cases (FTX and BlockFi) as they may lay some foundation and precedent for how other crypto businesses may be restructured through the courts in future cases. --- Brian H. Richardson

OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance

“Covered entities and business associates using tracking tech such as Google Analytics and Meta Pixel should pay close attention to whether PHI is being handled in accordance with HIPAA.”

Why this is important: In the last edition of Decoded, we discussed lawsuits against Duke and WakeMed regarding their use of Meta’s Meta Pixel tracking product and the alleged improper disclosure of patients’ protected health information (“PHI”). The U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”) recently weighed in regarding the use of tracking technology by covered entities and business associates covered by HIPAA. The OCR on December 2, 2022, issued a bulletin titled “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” in order to give entities covered by HIPAA guidance on how to use online tracking technology and still protect patients’ PHI. The OCR decided to issue the bulletin after reports that patient PHI was transmitted to Facebook through tracking technology installed on hospital websites and within password protected patient portals. The OCR instructed covered entities and business associates that they are not permitted to use tracking technologies that would result in an impermissible disclosure of patient PHI. The bulletin also included the requirement that covered entities enter into business associate agreements with tracking technology vendors if those vendors create, maintain, or receive PHI. Additionally, “it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information.” Accordingly, a disclosure of PHI to a tracking technology vendor requires the vendor to have executed a business associate agreement with the covered entity and that there is an applicable Privacy Rule permission for the disclosure. If patient PHI is disclosed to a tracking technology vendor in the absence of these two requirements, then that disclosure would be considered a breach and HIPAA notification requirements would apply, including notifying the OCR. --- Alexander L. Turner

Cuba Ransomware Group Hitting US Organizations in 5 Critical Sectors

“The ransomware group and its affiliates more than doubled the number of organizations it hit between November 2021 and August 2022, bringing its total illicit haul to date to more than $60 million.”

Why this is important: There is a lot of talk about Russian cyberattackers and ransomware groups, and for good reason. However, they don’t have a corner on the threat actor market. This article discusses the increase in ransomware attacks from groups in Cuba. Those groups were suspected of obtaining approximately $44 million in ransom payments in 2021, and they’ve obtained double that amount in 2022. The groups use the same types of attacks, including phishing campaigns, a preferred tool of threat actors. In addition, the groups take advantage of known security vulnerabilities, use compromised credentials, and exploit problems in remote desktop protocols. While Russian attackers might get more press, this article shows that Cuban groups are another threat. --- Nicholas P. Mooney II

Crypto Needs an FDIC-Like Protocol to Prevent Liquidity Crises

“How does the FTX fallout resemble the history of bank runs?”

Why this is important: Cryptocurrency is getting bad press these days, much of it deserved. Creativity and minimal regulation contributed to the growth of these currencies. Many cryptocurrencies were lucrative to own for years. Investors began to forget that this was a risky investment. Minimal regulation creates opportunity, but it cuts both ways. That advantage appears to be under attack. This article reviews the Great Depression and discusses how something like an FDIC, with rules setting aside a percentage of capital, may stabilize these “currencies.” It considers bank runs during the Depression and how they might be analogous to what is happening now in cryptocurrency markets. It also discusses how deposit insurance, as it did for banks, might provide confidence and stability in this market. The twist is that the article proposes insurance that is, in effect, voluntary. The FDIC is a U.S. federal organization. It relies on many laws and regulations. No unregulated entity (with very narrow exceptions) can both make loans and hold deposits. The FDIC relies on the full faith and credit of the U.S. dollar. It relies on the fact that failure of any one bank is not likely to bankrupt the system. Cryptocurrencies have none of that. This would be a voluntary effort. If it was not coordinated among several currencies, a consumer would be responsible to assess that risk, including how much the so-called “insurance” ameliorated that risk. Could this be done by a joint effort of major national economies (such as the World Economic Forum or a combination of APEC, the EU, and Great Britain)? Maybe, but then that organization would pick the winners or losers in cryptocurrency, based on who gets insurance. That sort of defeats the purpose of cryptocurrency, to some extent. International insurance may be where all this goes, but we may need more pain before a cure develops, assuming that one is even needed. --- Hugh B. Wellons

West Virginia AG Raises Alarm Over Recent Unsolicited Text Messages

"’Don't fall for it,’ Patrick Morrisey said of these deceptive ‘smishing’ scams targeting consumers ahead of the holiday season.

Why this is important: Smishing is a text version of a phishing scam that encourages the recipient to provide sensitive personal data, like credit card information. West Virginia’s AG is warning residents that a new smishing campaign is appearing in which the sender of the text claims to be a representative of the U.S. Postal Service and states that she or he needs the recipient’s credit card information to pay a $3 redelivery fee in order to receive a package. West Virginia’s AG has been active in the past in warning residents about current email, phone, and text threats. Responding to unsolicited phishing attacks continues to be a leading way in which threat actors compromise sensitive data of individuals and companies, which depending on type of compromised data could lead to identity theft, unauthorized charges, or a data breach. --- Nicholas P. Mooney II

How Technology is Changing the Debt Collection Market

“The $18.8 billion debt collection industry in the US is one of the less digitized sectors within financial services.”

Why this is important: This article discusses the ways in which accounts, or debts, are collected. It argues that aging technology and legacy servicing (collection) infrastructure restricts a lender’s ability to leverage automation and technology. Without this automation and technology, a lender’s ability to collect is diminished, forcing it to sell debts to third parties who are optimized for collection. This hurts the lender as it receives pennies on the dollar when selling accounts. Also, it potentially causes the lender to lose its relationship with its borrower. The article argues that leveraging technology to be more transparent and engage in cross-channel communications with borrowers will boost a lender’s ability to collect and allow it to keep its relationship with its borrowers. The article also rightly mentions the provisions in Regulation F that will permit collection through text messages and other channels, while allowing borrowers to choose the channel on which they want to be contacted. Modern servicing platforms allow borrowers to retain flexibility over their debts by allowing them to change due dates, create payment plans, reverse payments, and more. At bottom, this article sounds like it’s arguing that collection systems should operate like it’s 2022, not 1952. That’s good advice and, while remaining conscious of legal restrictions like those in Regulation F and elsewhere, lenders, servicers, and others engaged in collection should look for ways to include technology into their servicing and connect with borrowers in ways that resemble how people communicate in 2022. --- Nicholas P. Mooney II

LinkedIn Share This Email
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.

Responsible Attorney: Michael J. Basile, 800-967-8251