Volume 4, Issue 3, 2023

Welcome

Welcome to the third issue of Decoded for 2023.


We are sponsoring and participating in three upcoming conferences that you may find interesting. 


On May 1-2, the West Virginia Manufacturers Association is holding its WV Manufacturing Energy and Growth Summit. This regional, annual event brings together manufacturing and energy leaders, state and local officials, economic development professionals, and friends of industry and energy from West Virginia, Ohio, and Pennsylvania. Summit attendees will explore the broader intersections of manufacturing and energy from power generation to downstream manufacturing development through feedstocks by created oil & natural gas and rare earth extraction. Click here to learn more and register.


On May 3-5, DRI is hosting their 2023 Employment and Labor Law Seminar. Considered to be one of the nation’s best employment law seminars, it brings together leading management-side employment and labor attorneys, in-house counsel, human resources professionals, and EPLI representatives from throughout the U.S. and Canada. Always intensely practical and accompanied by helpful written materials, this seminar is indispensable for experienced practitioners as well as those who are just getting started in labor and employment law. Click here to learn more and register.


On May 15, DRI is hosting their 2023 Wind Energy Litigation Seminar. At this seminar, attendees will gain an in-depth understanding about the onshore and offshore wind sector from experienced attorneys and directly from the industry itself. Click here to learn more and register.


We hope you enjoy this issue and, as always, thank you for reading.



Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group


and


Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

Amazon Sued for Not Telling New York Store Customers about Tracking Biometrics

“Thanks to a 2021 law, New York is the only major American city to require businesses to post signs letting customers know they’re tracking biometric information.”


Why this is important: Biometric identifiers are unique to every individual. They include your fingerprints, facial structure, and even how you walk. In recent editions of Decoded, we have discussed in depth the Illinois Biometric Information Protection Act (“BIPA”), and the biometric protection bills currently working their ways through the legislatures in Maryland and Mississippi. We now turn to two unique biometric laws that were passed by the New York City Council in 2021 that regulate the collection of customers and renters’ biometric data in NYC.  


NYC’s Biometric Identifier Information Law (“BII”), NYC Admin. Code §§ 22-1201 – 1205, regulates businesses' collection and processing of “biometric identifier information,” which is defined as a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” It bars the use of biometric data for transactional purposes to sell, trade, or otherwise profit from the transaction of biometric information. Businesses that utilize biometric information are required to notify patrons of the business’ collection of biometric data by posting formal notices near all physical entrances to the business. BII defines biometric identifier information as a physiological or biological characteristic that is used to identify an individual, "including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic." This would include facial recognition systems used by in-store security. The regulation covers "commercial establishments," which include places of entertainment, retail stores, restaurants, and bars. A customer is defined as "a purchaser or lessee, of goods or services from a commercial establishment." Therefore, unlike the BIPA, the BII does not apply to the collection of employees’ biometric data. However, it does prohibit the sale of both customers' and employees’ biometric data. The BII provides for a private right of action. The BII also provides for statutory damages of $500 to $5,000 per violation, plus attorney’s fees, expert fees, and costs. A business can avoid a suit by providing an express written statement within 30 days of a complaint that the violation has been remedied.


NYC’s Tenant Data Privacy Act (“TDPA”), NYC Admin. Code §§ 26-3001 – 3007, prohibits landlords from selling, leasing or otherwise disclosing tenants’ data, including biometric data, collected by smart access systems. This includes smart access systems that provide access to buildings, common areas, or individual apartments. A smart access building is defined as one that uses a keyless entry system, including electronic or computerized technology through the use of key fob, RFID cards, mobile apps, biometric information, or other digital technology to grant access to a building or a part of a building. This includes buildings that provide access through facial recognition, fingerprint, or hand scan systems. The TDPA provides an aggrieved tenant with a private right of action. The TDPA allows for the recovery of statutory damages of $200 to $1,000 per tenant, in addition to the recovery of attorney’s fees.


Recently, a class action lawsuit was filed against Amazon related to alleged violations of the BII due Amazon’s collection of customer palm prints at its Amazon Go stores in NYC. The Amazon Go stores do not have a traditional check-out when a customer purchases items, and instead tracks customers and their purchases as they move through the store, and charges their Amazon accounts when they leave the store. The putative class alleges that Amazon violated the BII because it only recently began posting signs informing their NYC customers that it was using biometric recognition technology despite the fact that the BII has been in effect for over a year. The complaint alleges that in order to make the no check-out process work in their stores that Amazon has to track customers in the store, including scanning the palms of some customers. Amazon states that it does not utilize biometric surveillance to monitor shoppers, but instead other technology to monitor shoppers that does not constitute biometric technology. Amazon states that purchasing via palm scan is only one of various ways customers can complete their purchases, and that all of the privacy disclosure information is provided at the time of enrollment. Because of the lack of a federal data privacy law, states, and even local jurisdictions are beginning to pass their own data privacy laws, like the BII. If you need help navigating the different data privacy laws in the jurisdictions in which you do business, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner

Virginia Judge Rules Human Embryos are ‘Chattel’ Based on Centuries-Old Slave Laws

“The preliminary opinion by Fairfax County Circuit Court Judge Richard Gardiner – delivered in a long-running dispute between a divorced husband and wife – is being criticized by some for wrongly and unnecessarily delving into a time in Virginia history when it was legally permissible to own human beings.”


Why this is important: Procedural context is critical to understanding the decision of the Virginia Court on this issue. In Virginia, a “demurrer” is a preliminary motion to dismiss a case at an early stage. That is the procedural status of this particular case.


This case asks what happens when a couple cannot reach an agreement about what to do with cryopreserved human embryos when a couple goes through divorce. At the time the embryos were initially preserved, the couple agreed to “joint ownership” of the embryos. When they separated in 2018, they entered into a Property Settlement Agreement that acknowledged the joint ownership, and that they would preserve the status quo until further agreement or a court order decided what to do. There are two remaining embryos in cryogenic storage. One spouse wants to attempt to use them to conceive. The other has refused to allow them to be used.  


The court initially dismissed the ex-wife’s complaint requesting that the court decide who owns the embryos. Upon a motion to reconsider that decision, the court issued the current order that is seeing some backlash in its references to old laws.  


From a procedural context, the court is effectively stating that the case should go forward and the issues be decided on the merits.  


Historically, these issues have been resolved through mutual agreement or equitable distribution proceedings. This case asks the court to divide or partition ownership of the embryos. This is a complicated ethical issue, to be sure, but it is one that will likely become more common in the near future. --- Brian H. Richardson

Most Mid-Sized Businesses Lack Cybersecurity Experts, Incident Response Plans

“99% of all businesses across the United States and Canada are mid-sized businesses facing cybersecurity challenges, according to a Huntress report.”


Why this is important: This article reports on a recent survey with some alarming statistics regarding business cybersecurity protection. Nearly 99 percent of all businesses in the U.S. and Canada are characterized as mid-sized businesses, and nearly 61 percent of them do not have a dedicated cybersecurity expert on staff. In the past 12 months, almost 25 percent of those businesses have been the victim of a cyberattack. As a result, nearly half of them plan to increase their cybersecurity budget in 2023. These percentages mean that an overwhelming number of small businesses in the U.S. and Canada recently have suffered a cyberattack, know they are vulnerable, and do not have a cybersecurity expert on staff, likely due to budget constraints. Moreover, the survey revealed that almost half of those businesses do not have an incident response plan in place in the event of a cyberattack. That means they do not have a formalized plan in place with an order of operations for fighting off an attack and people tasked with responsibilities to implement the plan. If one of these businesses suffers a cyberattack, it will lose precious time in trying to come up with a plan to respond on the fly while a threat actor has access to its systems and data. The survey also reported on another consequence of not having response plans in place: more than one-quarter of the companies do not have any cyber insurance coverage. Many times this coverage is unavailable to companies if they aren’t performing basic cyber hygiene measures. At bottom, the survey paints a troubling picture. These companies (which make up a large percentage of the companies in the U.S. and Canada) lack a dedicated cybersecurity expert on staff, already may have suffered an attack, know they are vulnerable to another one in the future, and if they suffer one in the future, the costs merely to respond to the attack could ruin them. --- Nicholas P. Mooney II

Email Security Nightmare as 75% Of CISOs Expect a Severe Email-Borne Attack in the Next 12 Months

“According to the study, email usage increased annually, with 82% of organizations reporting increased utilization in the last twelve months.”


Why this is important: The majority of Chief Information Security Officers (“CISO”) project that email-borne cyberattacks will significantly impact businesses this year. As email usage increases, so does the risk of an email cyberattack. Over 80 percent of IT security leaders have seen an increase in phishing, ransomware, and spoofing attacks. While phishing and ransomware attacks are commonly known, spoofing attacks are on the rise because they are a new vector of attack. Email spoofing is when spam or phishing attacks are utilized to trick users into thinking a message came from a person or entity they either know or can trust. In spoofing attacks, the sender forges email headers so that client software displays the fraudulent sender address, which most users take at face value. Spoofing attacks are so widespread because only 29 percent of organizations are prepared to address the illegal use of their domains.  


As we have discussed in previous Decoded articles, a company’s employees are often a weak link in the cybersecurity chain. This is especially true now that remote work has become more mainstream. Many IT security leaders are concerned that workplace collaboration tools like Microsoft Teams, Google Workspace, and Slack are likely avenues of attack. To combat the risk of employees causing a cybersecurity breach, there must be an investment in training and reinforcement of cybersecurity policies and procedures throughout a business’ workforce. This requires the commitment of company leadership, especially those in the C-Suite. However, even though C-Suite executives have become more aware of these ever-increasing cybersecurity risks, many remain reluctant to provide sufficient time and money to address this emerging problem. Coordination between CISOs and C-suite executives to thwart these cyberattacks is imperative.


Recently, we have seen companies experience bad actors squatting on business email accounts waiting to redirect wire transfers or direct deposits. The bad actors will use a spoofing attack to trick an employee into providing them with information that allows the bad actors to have administrative access to the company’s email system. With this administrative access, the bad actors will have emails redirected to them and they will wait for information related to a wire transfer or direct deposit to be emailed. The bad actor will then hijack that payment by emailing the sender with new wiring information from a legitimate account at the company, erase the email from the legitimate account holder’s outbox, and have the payment directed to a different account. Only later, when the business sees that payment for services have not been received, or an employee sees that a paycheck has not been deposited is the breach discovered. However, by that time, it is too late, and the bad actors are already gone with the funds. A robust training and updating of policies and procedures are needed to combat this type of attack. If you would like a review of your policies and procedures, or if you need training for your workforce in cybersecurity, please contact a member of Spilman’s Cybersecurity Practice Group. --- Alexander L. Turner

It’s Official: No More Crispr Babies—for Now

“In the face of safety risks, experts have tightened the reins on heritable genome editing—but haven’t ruled out using it someday.”


Why this is important: The Organizing Committee of the Third International Summit on Human Genome Editing issued a statement closing its summit declaring that heritable human genome editing remains an unacceptable scientific practice at this time. The committee finds that the safety and efficacy of such editing has not been established and that broader societal and policy questions remain. Experts have noted that the statement is clear in its position that debate on whether human heritable gene editing should occur at all is currently wide open.


While newsworthy, the statement’s release is less controversial than the last summit, during which Chinese scientist He Jiankui told attendees that he used CRISPR, the common and accessible gene editing technology, on human embryos that resulted in three gene edited human babies being born. These actions were immediately condemned by the committee and resulted in new rules being passed in China to heighten ethics reviews for human subject research.


For now, the committee and most experts in the field agree that heritable human gene editing is not yet safe and can have disastrous unintended consequences. One common errant result cited is mosaicism, where the results of the editing vary from cell to cell. Another potential downfall is an embryo’s inability to repair breaks in DNA that occur during editing, which could result in permanent health issues.


It is yet to be known how and when scientists may proceed with this type of research and what it will ultimately lead to in society. While the potential therapeutic uses of CRISPR in this capacity are enormous, the risk of failure and societal upheaval remains in the balance. --- Shane P. Riley

The Cloud Backlash has Begun: Why Big Data is Pulling Compute Back on Premises

“However, cloud-first strategies may be hitting the limits of their efficacy, and in many cases, ROIs are diminishing, triggering a major cloud backlash.”


Why this is important: Cloud computing may seem like an industry standard, but this short article reports on a growing trend of companies migrating away from the cloud and bringing workloads back on-site. The reason is skyrocketing costs that result from an explosion in the sheer volume of workloads that have been moved to the cloud over the last decade. In the end, this article proves that no one solution works for every business, and businesses need to consider whether cloud-based solutions or on-site solutions work best for their operations. --- Nicholas P. Mooney II

Revolutionizing Biotechnology: Scientists Create Supercharged Bacteria with Immunity to Viral Infections

“Currently, viruses that infect vats of bacteria can halt production, compromise drug safety, and cost millions of dollars.”


Why this is important: This newly developed biotechnology relies on modifications to the bacterial tRNA processes that code for leucine and serine amino acids. By implementing modifications, the tRNA replication by viruses can be interrupted, preventing the virus from effectively replicating to other cells. The ongoing work uses both laboratory testing and computer modeling techniques to test the virus-resistance of the bacteria. The project presents what is believed to be a first-of-its-kind mechanism for preventing genetically modified material from horizontally transferring into natural cells. The researchers also assert that there is little risk of a “superbacteria” infection from their work, because their cells are made to be dependent on a synthetic amino acid that does not exist outside the laboratory environment. It is believed that the evolutionary requirements necessary would be far too great a leap for a natural cell or organism to be infected by these bacteria (or conversely for a virus to be effective against these bacteria cells). --- Brian H. Richardson

How NFTs can Protect Creators and Fortify Their Legal Rights

“Relying on government laws on copyright will not be enough to ensure that value doesn’t get lost along the way.”


Why this is important: This article provides thoughtful points about the benefits of NFTs. So much has been written about them in the past couple years. They’re a scam, a fad, overpriced, overhyped. They’ve risen in price. They’ve fallen. They’re a legitimate tool. They’re a way for artists to retain control, a way for fans to connect with their favorite artists. This article looks at the five areas in intellectual property in which NFTs hold promise. First, in the area of provenance, NFTs allow for a digital record of ownership so that the original is easily verified and intellectual property theft is prevented. Second, in the area of immutability, NFTs are stored on a blockchain, which is a tamper-proof record of authenticity. Third, in the area of traceability, the use of blockchains to store NFTs allows creators to track ownership and transfers. Fourth, in the area of monetization, the use of blockchains to store NFTs provides creators with a wide variety of options to monetize their works in new ways, such as through royalties, subscriptions, and membership models. Fifth, in the area of accessibility, NFTs can be bought, sold, and traded globally, which allows everyone worldwide the opportunity to participate. These attributes buttress the protections given by existing copyright laws to creators. In an age when over 5.2 billion people are online, the way we think about intellectual property rights is changing and, while the laws are changing too, the article argues that the use of NFTs is one way that creators can protect their work. --- Nicholas P. Mooney II

HSCC Publishes Guidance on Managing Legacy Medical Tech Security

“The guidance positions medical technology security as a shared responsibility, encouraging medical device manufacturers and healthcare organizations to work together to reduce risks associated with legacy tech.”


Why this is important: Legacy medical device technology continues to be an ongoing (and growing) risk and threat to public safety. Even the FBI is taking note, and noted an uptick in security risks associated with medical devices in a September 2022 report. This guidance from the Healthcare and Public Health Sector Coordinating Council follows on a similar line of guidance with its four-pillar approach: governance, communications, cyber risk management, and future proofing. This group highlights that collaboration between medical device manufacturers and healthcare providers is the best way to promote public safety. Achieving that goal will require that both groups take on (or be assigned) joint responsibility for addressing cyber security risks in legacy devices. --- Brian H. Richardson

This Insertable 3D Printer will Repair Tissue Damage from the Inside

“It can also make incisions and clean up with water jets.”


Why this is important: A new, minimally invasive 3D bioprinting tool has been developed by Australian researchers at the University of New South Wales in Sydney. The tool is endoscopic and flexible, allowing it to be inserted into a patient and guided to the target area where a surgeon can use its multipurpose nozzle as both an electric scalpel and a bioprinter. The aim is to create an all-in-one tool that will allow surgeons to cut, clean, and repair tissue without the need to use and insert multiple scopes. The applications and advantages of this new innovation are clear and likely to be widely adopted once available. For now, the researchers are in lab stages and hoping to move to animal studies soon. Human studies and commercial application could be only five to seven years away. Combined with other research in the 3D bioprinting space, including 3D printed tissues and organs for transplant, this tool is adding to the now common notion that 3D printing and artificial tissues are the inevitable future of medicine. --- Shane P. Riley

SEC Proposes Cybersecurity Disclosure Rules for Financial Industry Specialists

“The providers would be required to conduct annual reviews of the effectiveness of the policies and make disclosures to the SEC about significant cybersecurity incidents.”


Why this is important: On March 15, 2023, the Securities and Exchange Commission issued proposed rules to bolster the ability of broker-dealers, clearing agencies, and other financial services providers to repel cyberattacks. The proposed rules would require these financial institutions to annually review the effectiveness of their cybersecurity policies and procedures. In the event of a significant data breach, these financial institutions would be required to not only inform the SEC, but also disclose the incident to investors. Additionally, financial institutions will be required to disclose cybersecurity risks to investors as well. The purpose of the new rule making is an attempt by the SEC to bolster the industry’s cybersecurity preparedness in light of the increase in ransomware and software supply chain attacks. This is necessary because of the increasing interconnectivity of the financial industry and reliance on technology to conduct business. However, not everyone at the SEC agreed with the need to issue these new rules. While everyone agreed that robust cybersecurity is important, some, like Commissioner Hester Pierce, believe that the proposed changes constitute an overreach. A 60-day public comment period will open after the regulations are published. Additionally, the SEC has reopened the public comments for cybersecurity risk and disclosure changes involving investment advisors and business development firms. --- Alexander L. Turner

Technology and Law: Why CTOs Should be Concerned with Both

“These days, there are legal implications for a CTO that affect everything from the codebase you use to how you store data to how you contact your customers to how you display information... the list goes on and on.”


Why this is important: Addressing security risks is frequently a balancing act for a CTO between what is “reasonable” and what is “practical” for their organization. While lawmakers and regulatory agencies are often trying their best to adopt policies that can work in the “real world,” it is left to the CTO to pick up the slack and fill in the gaps. Whether addressing issues stemming from data privacy, data sovereignty, or data breach, regional expertise is invaluable in addressing these concerns and mitigating risk. CTOs should take comfort in knowing they’re not alone in navigating and combating risk from an ever-moving target, but should turn to regional experts to develop strategy and policy that can move their organizations forward with success. --- Brian H. Richardson

LinkedIn Share This Email
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.

Responsible Attorney: Michael J. Basile, 800-967-8251