Welcome to the 10th and last edition of Decoded for 2023 – our e-newsletter focused on technology law insights.  

Spilman is excited to announce its partnership with Paul Kriebel and his team at CR Advisory to provide comprehensive cybersecurity planning and response to our clients. CR Advisory is a Pittsburgh-based company that is on the cutting edge of the cybersecurity industry. They have assisted companies in a wide variety of industries, including the financial, healthcare, energy, and gaming industries, to develop comprehensive cybersecurity protocols and effective responses to cyberattacks.     

CR Advisory's team has extensive experience in the cybersecurity industry. They are helmed by Paul Kriebel, who holds CISSP and CISM certifications, and is accredited and deeply knowledgeable in various cybersecurity standards and practices, including NIST SP 800-171, 800-53, and the NIST Cybersecurity Framework. Paul’s journey in cybersecurity began with a pivotal role at the U.S. Department of State, where he was instrumental in developing a robust Security Architecture. This early experience laid the foundation for his extensive understanding of high-stakes security environments and the complexities of safeguarding sensitive government data. Paul then transitioned to the private sector and used the expertise he developed working for the State Department to assist foundations and high-net-worth individuals develop comprehensive Risk Management and Third-Party Risk Management programs. Paul also has experience as a Chief Information Security Officer (CISO) at a healthcare provider where he established a formal cybersecurity program and achieved the coveted HITRUST certification. Through these experiences, Paul has developed a unique methodology for assessing program readiness in preparation for the Cybersecurity Maturity Model Certification (CMMC), which incorporates a holistic approach towards addressing cybersecurity challenges. 

Paul’s team at CR Advisory, which includes Dan Gribble and Max Maszle, is equally accomplished. Dan has broad cybersecurity knowledge through his time with IBM, Avnet, and Tech Data. Through his experience at these leading companies, and his time with CR Advisory, the strategic insights in market analysis, competitive analysis, and product marketing he has developed have consistently steered organizations toward technological innovation in cybersecurity. Dan’s contributions have been pivotal in shaping the next generation of cyber-resilient solutions and strategies. Max has a degree from Pennsylvania State University in Management information Systems. Max spent more than eight years in software product and project management at PNC Financial Services where he helped deliver technology and process solutions to stakeholders in the Corporate and Institutional Banking organization. At CR Advisory, Max performs consulting and technology transformation services.

Spilman is partnering with CR Advisory to assist clients with the legal aspects of cybersecurity planning and response, along with ensuring statutory and regulatory compliance. CR Advisory and Spilman are available to assist small businesses and large corporations alike with their cybersecurity needs. CR Advisory offers a complimentary cybersecurity consultation to evaluate your organization’s unique cybersecurity posture, and to identify potential weaknesses in your organization’s cybersecurity preparedness. In the unfortunate event that your organization suffers a cyberattack, CR Advisory and Spilman can assist with a comprehensive and effective response. If your organization needs assistance in cybersecurity planning or response, please contact a member of Spilman’s Cybersecurity & Data Protection Practice Group.

We hope you find this holiday season restful and 2024 prosperous!

Thank you for reading.

Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group

and

Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

By Alexander L. Turner and Malcolm E. Lewis

As a follow-up to our previous article and webinar, “Are Automakers Making Sufficient Efforts to Protect Customer Data?", we are addressing the recent 9th Circuit decision in Jones v. Ford Motor Co. At issue in this matter was whether Ford Motor Co. (“Ford”) violated the Washington Privacy Act (“WPA”) Wash. Rev. Code 9.73.060. Plaintiff Jones owns a Ford automobile that has an integrated infotainment system. Plaintiff Jones exchanged private text messages with Plaintiff McKee before connecting his phone to the Ford infotainment system. Plaintiffs claimed Ford's integrated infotainment system installed on Plaintiff Jones’ Ford automobile unlawfully and without his consent downloaded, copied, and stored call logs and text messages made before Plaintiff Jones connected his cellphone to the infotainment system. Moreover, while the text messages can be deleted from the plaintiffs’ phones, they remain permanently stored on the Ford infotainment system after Plaintiff Jones’ phone is disconnected from the vehicle, and Plaintiff Jones is unable to access or delete personal information once it has been stored.  

The plaintiffs’ claims were not that Ford was accessing their personal data, but that third parties could hypothetically have access to that data contained within the Ford infotainment system without the plaintiffs’ consent. 

Click here to read the entire article.

“After a year marked by scandal, crypto's undeterred optimists insist that things are looking up.”

Why this is important: Cryptocurrency is not going away. After the recent scandalous convictions of crypto-leaders and a regulatory crackdown, many coins are on a bullish run. Why? Politically, cryptocurrency is not slotted to be a leading campaign talking point. Neither major candidate has taken the charge on putting cryptocurrency regulation at the forefront. Administratively, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) are contending for regulatory control over the industry. The CFTC has an edge, as a bipartisan bill in the Senate calls for cryptocurrencies to be classified as commodities like grain and cattle. Notwithstanding the regulatory overhaul, little has actually stunted the pace of growth in the industry, save for investor skepticism.

Overall, interest in cryptocurrency development and integration is still on the rise. Several video game companies worldwide have initiated or are developing a means of crypto-integration in their platforms. Investments continue to pour in from venture capitalists who remain optimistic about the future of the versatile currency. 

Whoever is at the helm, 2024 will usher in greater regulatory oversight for the cryptocurrency space. Instances of theft or fraud remain constant risks. However, the integration and flexibility of cryptocurrency, as opposed to other fintech investments, such as NFTs, will continue to support the unyielding optimism and investment of some in the space. --- Sophia L. Hines

New CRISPR Diagnostic Player VedaBio Emerges with $40M Start

“VedaBio has emerged from stealth to pitch a CRISPR platform that has the ability to detect an array of chosen molecules at once without sacrificing accuracy, while keeping the sample at room temperature and completing its task in less than a minute.”

Why this is important: CRISPR has been a frequent topic in this publication, and now it appears to be close to realizing its potential. VedaBio has developed a process that allows CRISPR to chew gum, walk, play the cello, paint a masterpiece, and do linear analysis all at the same time, metaphorically. This company claims (and seems to back up) that, using multiple CAS enzymes, it can identify multiple enzymes at one time, quickly, while leaving the test at room temperature, presumably ready to replicate. This may become a basis for much more sophisticated gene alteration and also may aid true personalized medical care. If all real – we can’t forget Theranos – this is exciting, a true break-through in medicine. We’ll see. --- Hugh B. Wellons

By Kevin L. Carr

Managing a remote cybersecurity team at colleges and universities involves addressing a unique set of challenges to ensure the security of sensitive data and infrastructure. An additional overlay of potential concerns arise because of the nature of the data to which these employees are exposed. Some strategies help institutions manage issues associated with a remote cybersecurity team.

Click here to read the entire article.

By Lisa M. Hawrot

Schools across the country use myriad surveillance technologies, including school communications monitoring, online monitoring, web filtering, weapon detection systems, and remote video monitoring. According to a survey by the American Civil Liberties Union highlighted in a K-12 Dive article, 87 percent of 14 to 18-year-olds are aware of technologies used by their schools. The question is whether these technologies actually improve school safety or undermine a parent’s trust in the school and its teachers.

Click here to read the entire article.

“As a CEO, it’s never been more important to lead with a security-first mindset, regardless of your technological experience or knowledge of cybersecurity.”

Why this is important: We have discussed in previous issues of Decoded that to be effective in thwarting a cyberattack, cybersecurity has to be an integral part of an organization’s culture. An organization’s culture of cybersecurity must be one that is organically developed from the top down. When leadership demonstrates genuine interest in cybersecurity, it encourages employees to notify managers of areas of risk and possible data breaches. This top-down culture also results in leadership approving necessary funding for cybersecurity and training to avoid a data breach. By developing a cybersecurity-focused culture in your organization, you can hopefully avoid being one of the 90 percent of organizations that experienced at least one identity-related data breach, of which 68 percent had a direct business impact, in the last year.

However, as cybersecurity tools and training improve, so do cybercriminals. Consequently, cyberattacks have moved from a threat to an inevitability. Cybersecurity requires constant vigilance, including taking the following steps:

• Organizational leadership must know what data your organization is holding by conducting at least an annual data security audit. This includes both customer and the organization’s own data. Then investigate both external and internal threats from that data. This data audit will allow you to know what data is integral to your organization’s operations, and which data can be safely discarded. It also allows you to limit who has access to the remaining data. Not everyone within the organization has to have access to all the data. Identify what data is necessary for each level or department, and limit everyone else’s access to that data.
• An organization needs to invest in cybersecurity specialists to implement a robust cybersecurity program. While leadership at an organization is anticipated to be experts in accomplishing the organization’s mission, they are likely not as well versed in cybersecurity. That is when it is advisable to retain cybersecurity experts to help your organization institute a comprehensive cybersecurity plan.  
• Protecting the organization’s data first helps protect your customer’s data. This includes having the right tools to monitor and protect the organization’s network from attack. If you have the right tools in place to protect the organization’s data, those same tools should be used to protect customer data. Moreover, understanding how your organization uses its own data will help your organization know how it uses its customers’ data.
• Having strong cybersecurity in place will do your organization no good if you do not have your employees properly trained on it. Cybersecurity training is not a one-and-done proposition, but should be continual and evolve as threats evolve. While the organization’s employees are the most likely vector of attack, be it from a lack of training or sophisticated social engineering by a bad actor, they are not the enemy. The training provided to employees should be proactive in order to empower them to recognize and thwart attacks, and not as a punishment. All the investment in cybersecurity is a waste if the organization’s employees do not receive regular cybersecurity training.
• An organization’s leadership has a duty to be educated on the ever-evolving risks their organization faces. Implement a cybersecurity planning group that includes a representative from all your organization’s departments, internal IT, legal representation, and cybersecurity consultants. Have regular meetings that address evolving risks and how the organization should address those threats. Have a plan in place if your organization has a data breach so you can effectively respond to minimize the damage. As the organization’s leadership, you need to educate yourself about effective cybersecurity so you can make educated decisions when the time arises.

Taking these steps, and being proactive about cybersecurity, also will aid in the defense against a civil lawsuit if there is a data breach. Generally, to be successful in the defense against a lawsuit involving a data breach does not require your organization to have instituted perfect cybersecurity. Your organization need only have implemented reasonable cybersecurity measures that comply with state, federal, and industry requirements, and are proportional to your organization’s size and yearly revenue. Additionally, as a member of your organization’s leadership, strong cybersecurity protects you from possible personal liability in the event of a data breach. Plaintiffs bring suits on behalf of company stockholders alleging the damages associated with a data breach are a result of corporate officers and board members failing to satisfy their fiduciary duties to the company to protect it against cyberattacks. That is why it is so important for an organization’s leadership to not only implement strong cybersecurity, but to foster a strong culture of cybersecurity. This culture will not only encourage employees to identify cybersecurity risks to leadership, but also for leadership to take proactive steps to address those risks, thereby protecting the organization and themselves from future liability. If your organization would like help implementing a strong cybersecurity program, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner

“For the first time, researchers are testing an approach that involves replacing a mutated gene in the inner ears of children with severe hearing loss.”

Why this is important: One of my daughters was born totally deaf in one ear; the nerves in that ear do not connect. She also has perfect pitch in the other ear and a full three-octave singing range with the ability to do anything from opera to bluegrass. But, she always has been envious of those who can hear in stereo. These trials attack a different, genetic, cause for hearing loss, but you can see why it caught my attention. Genetic treatments have come a long way since University of Pennsylvania’s tragic genetic tests in 1999. Besides killing at least one person, the tests' results, and later results elsewhere, created questions about how long genetic treatments would last. Patients seemed prone to reverting back to the original genes over a short time. This treatment seems to have some “legs,” but the trial may demonstrate how effective it is over time. --- Hugh B. Wellons

By Malcolm E. Lewis

As highlighted in previous editions, the education sector is one of the most targeted parts of the United States economy for cyberattacks and ransomware attacks, outpacing health care, technology, financial services, and manufacturing. With financial viability already being a huge challenge for many colleges and universities nationally, one component that should not be overlooked in a higher education institution’s operating expense budget is cyber resilience.

Click here to read the entire article.

“Details of the attack have not been published but the company informed customers of its Nissan Oceania division of a potential data breach, warning them that there is a risk of scams in the upcoming days.”

Why this is important: In the last edition of Decoded, Malcolm Lewis and I discussed the sorry state of the implementation of cybersecurity by the auto industry, and how your organization can avoid a similar fate. Nissan is currently experiencing the consequences of its poor cybersecurity. It is currently investigating a cyberattack in Australia and New Zealand that may have resulted in customers’ personal data being exposed to scammers. Nissan’s announcement of the possible breach of customer data lacks transparency. It fails to state affirmatively whether customer data has been breached or not, what customer data was allegedly breached, or what Nissan is doing to prevent this type of breach in the future. All Nissan is telling its customers in Australia and New Zealand is that they should be vigilant in case they are targeted by scammers as a result of the breach. Nissan’s lack of transparency does not instill trust or reassure its customers. As embarrassing as a data breach is for your organization, an effective and transparent response is the first step to rebuilding your customers’ trust. If your organization has been the victim of a cyberattack, and you need assistance in formulating an effective data breach response, please contact a member of Spilman’s Technology Practice Group for help. --- Alexander L. Turner

“Going small promises big gains in diagnosing and tracking a wide range of tumors.”

Why this is important: New attempts are using nanotechnology to find, diagnose, and possibly treat cancer. Blood and other bodily fluids often can show traces of cancer more effectively and more cheaply than we can do today. This article explains how researchers are using various methods, including nanotechnology, to find and identify traces of cancers using relatively nonintrusive procedures. I found this article fascinating. Imagine that every X years, you simply have your doctor withdraw a vial or two of blood, a cheek swab, etc., and you find out very early if your body is reacting to most known cancers, and exactly what that cancer is. That’s almost Star Trek medicine! This may be possible in a few years for many cancers. --- Hugh B. Wellons