Listen to this post

In the middle of the 20th century, there was a massive expansion of the retail credit market. Everything from boats to sewing machines to kitchen appliances were bought and sold through increasingly complex credit arrangements. These credit arrangements would extinguish a consumer’s rights to dispute any terms of the contract once a loan was assigned, legally binding the consumer to pay the holder of the contract, even if the sale was fraudulent. These “cut off” clauses were considered standard, and consumers had no choice, as it was presented as a “take it or leave it” agreement.

In a recent lecture, the director of the Federal Trade Commission’s Bureau of Consumer Protection compared these credit contracts to the concept of notice and choice in today’s digital world of data collection and privacy concerns. The director characterized notice and choice as “weaponizing fine-print contractual provisions to shift risk and responsibility away from themselves and onto consumers.”

The director’s remarks focused on the commission’s response to these mid-century credit contract provisions by implementing the Holder Rule. This rule reallocated the risk of misconduct by sellers, allowing consumers to assert claims and defenses against any holder of the loan. The result of this rule created incentives for creditors to self-police the retail market, as any subsequent creditor could now be held responsible for the originators bad acts.

The director went on to dispel the notion that this type of model, if applied to privacy concerns, would disrupt business and the digital marketplace by saying:

[D]espite dire warnings from industry, these changes did not make the sky fall or cause the credit market to dry up. Consumer credit continues to be very competitive, and the Holder Rule continues to provide fundamental protections that promote confidence in the lending system.

. . .

As the Holder Rule shows, well-designed government action does not distort the free market – it makes it work better. By properly aligning incentives and allocating legal responsibility, trust grows and firms can compete on value. To be clear, humility is an important virtue for regulators; unintended consequences, regulatory burden, and imperfect information are all ever-present concerns. But there are also risks to inaction, and the consequences of failing to act can leave the public worse off, especially when it allows businesses to shift the cost of misconduct onto consumers. We saw that in credit markets half a century ago, and we see it in our digital economy today.

See Toward a Safer, Freer, and Fairer Digital Economy, How Proactive Consumer Protection Can Make the Internet Less Terrible, Remarks of Samuel Levine, Fourth Annual Reidenberg Lecture, Fordham Law School, April 17, 2024.

The director concluded his remarks by emphasizing that the FTC is currently, and intends to continue to, take bold action and use every tool in its arsenal to protect privacy, combat online dark patterns and manipulation, and safeguard the public from other harms. The closing remarks signaled that the FTC intends to take further action to protect consumers’ privacy rights by moving away from notice and consent and placing the onus on businesses through legal remedies similar to those present in the Holder Rule.

Finally, the director did not say what an application of a Holder Rule analogue in the privacy space would look like in practice. However, this is certainly an area to stay abreast of, as the FTC becomes more active in this space and continues to look for ways to address these issues through its rulemaking authority.

Listen to this post

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Cybersecurity Readiness

Cyberattacks dominated the news in 2023, with hacking and IT breaches impacting government bodies, leading corporations, and critical supply chains, including those for vital resources like gasoline. The healthcare sector faced an especially challenging year, as cybercriminals targeted hospitals and healthcare systems. On February 14, 2024, OCR released two Congressional Reports concerning compliance and enforcement under HIPAA.  These documents offer crucial insights for entities regulated by HIPAA aiming to bolster their compliance strategies.

OCR Director Melanie Fontes Rainer stated: “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.” Notably, as in previous years, hacking/IT incidents remain the largest category of breaches and affected the most individuals. Network servers continued as the largest category by location for breaches involving 500 or more individuals.

The breach reports that OCR received revealed common vulnerabilities and deficiencies. OCR was able to identify several areas of improvement for the sector tied to specific HIPAA Security Rule standards. OCR suggested that covered entities and business associates focus on improving compliance with the security management process standard, the audit controls standard, and response and reporting requirements.

Of note, while certain cyber-attacks leverage sophisticated techniques to exploit undiscovered vulnerabilities (known as zero-day attacks), the majority of cyber incidents according to OCR could be either prevented or significantly lessened if covered entities and business associates adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods such as phishing emails, the exploitation of existing vulnerabilities, and the use of weak authentication measures. In the event of a successful breach, attackers frequently encrypt electronic Protected Health Information (ePHI) for ransom purposes or steal the data for future malicious activities, including identity theft or extortion.

OCR recommends covered entities and business associates take the following best practices to mitigate or prevent cyber-threats:

  • Ensuring all partnerships with vendors and contractors are secured by appropriate business associate agreements that clearly outline responsibilities in case of a breach or security incident.
  • Embedding risk analysis and management into the core business practices, with regular assessments, particularly when adopting new technologies or altering business operations.
  • Establishing robust audit controls to document and scrutinize activity within information systems.
  • Conducting periodic reviews of information system activities to identify and mitigate potential risks.
  • Adopting multi-factor authentication measures to verify that only authorized individuals access protected health information.
  • Securing protected health information through encryption to prevent unauthorized access.
  • Learning from past security incidents to improve the overall security management strategy.
  • Offering targeted training that aligns with organizational and specific job requirements, emphasizing the essential role of all staff in upholding privacy and security standards, and ensuring such training is refreshed regularly.

Cybersecurity in 2024 And Beyond

Also, this month, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report outlining ways to improve privacy protections for Americans’ crucial health data.  This follows Senator Cassidy’s call last year for input from stakeholders on ways to strengthen the privacy protections of health data within the HIPAA framework, as well as to explore privacy measures for emerging health data sources. In the report, Senator Cassidy presents various recommendations to update the HIPAA framework, protect health data not currently covered by HIPAA, and address data that blurs the lines between health and non-health categories.  The report details that while for more than two decades, HIPAA has played a crucial role in safeguarding patient information, it has struggled to stay up-to-date with the rapid advancements in technology and the introduction of innovative tools that have become integral to modern healthcare. Stakeholders highlighted a pressing need for HIPAA to evolve. They argue that updates are essential for ensuring that patient information remains secure in an increasingly digitized healthcare ecosystem. This call for modernization reflects a broader recognition of the challenges and opportunities that lie ahead in protecting patient privacy in the digital age. 

In his report, Senator Cassidy notes that the United States does not have a comprehensive data privacy law and calls on Congress to fill the gap.  Unlike 2022, which saw the American Data Privacy and Protection Act (ADPPA) make notable progress in the House of Representatives, 2023 witnessed a lull in the push for a sweeping federal privacy statute. Nevertheless, 2024 holds the potential for renewed momentum in advancing the ADPPA (or a comparable proposal). President Joe Biden has notably urged Congress to enact bipartisan data privacy laws, reinforcing this call through a recent executive order on sensitive personal data.  Meanwhile, in the absence of any action on a federal privacy law, we anticipate additional states passing comprehensive privacy laws of their own in 2024.

Indeed, comprehensive privacy bills have been passed or nearly passed by legislatures in New Jersey and New Hampshire, thus far in 2024.  Additionally, as of March 31, 2024, Washington’s My Health My Data Act (MHMDA) will go into effect.  MHMDA is a pivotal health privacy legislation that establishes substantial compliance requirements for businesses handling health data not covered by HIPAA or federal part 2 rules. The significance of this legislation is heightened by its provision for a private right of action, where uncertainties within the law are more likely to be leveraged by plaintiffs’ attorneys.

CONCLUSION

The OCR reports are a clear reminder of the need for healthcare organizations to enhance cybersecurity preparedness. As healthcare organizations navigate the complexities of the digital age, the importance of cybersecurity cannot be overstated. By prioritizing preparedness, resilience, and a culture of cybersecurity awareness, healthcare organizations can not only protect themselves against the financial and reputational damage of cyber attacks but also, and most importantly, safeguard the well-being and privacy of the patients they serve. The journey towards comprehensive cybersecurity preparedness is ongoing, requiring vigilance, adaptability, and a unified effort to ensure the health and trust of the global community. Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.

Listen to this post

In 2023, the government and whistleblowers were party to 543 settlements and judgments — the highest number in a single year — collecting over $2.68 billion. After announcing its Civil Cyber-Fraud Initiative in October 2021, the Justice Department proved that the initiative is dedicated to using the FCA as a mechanism to hold federal contractors accountable who fail to follow federal cybersecurity requirements. Settlements in 2023 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failure to properly maintain, patch, and update software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2024 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2023 Year in Review, our 12th annual review of significant FCA cases, developments and trends.

Listen to this post

The frequency of class actions related to data breaches has significantly increased, with no indication that this upward trajectory will plateau. This raises the question: Are there more efficient alternatives to settling these disputes in the public eye of the courts? Moreover, is it possible to mitigate the financial burden associated with these legal battles? The short answer: Incorporating arbitration clauses and class action waivers into terms and conditions presents a viable strategy — if done correctly.

In a recent ruling by the Ninth Circuit, a significant message was sent to businesses about the critical nature of employing clear and effective website terms and conditions incorporating an arbitration clause and class action waiver. The case of Patrick v. Running Warehouse, LLC, — F.4th —- (2024), stemmed from a data breach in October 2021, leading to the alleged exposure of consumers’ personally identifiable information. The consumers’ attempt to bring forward class actions for negligence, breach of contract, and other claims against the retailer was met with a motion to compel arbitration.

The Ninth Circuit found that “Plaintiffs other than Craig Arcilla acknowledged seeing a hyperlink to the websites’ Terms of Use and therefore had inquiry notice of the arbitration provision.With respect to Arcilla, “the panel agreed with the district court’s finding that Defendant Running Warehouse’s website provided sufficient information to put him on inquiry notice. The website provided reasonably conspicuous notice of the Terms, and Arcilla manifested assent to the Terms by clicking the ‘Place Order’ button to complete his purchase.”

The ruling underscores the necessity for businesses to ensure that their terms of service are not only present but also prominently displayed and easily accessible to consumers. In this instance, the court noted that the plaintiffs had acknowledged seeing a hyperlink to the Terms of Service, placing them on “inquiry notice” of the arbitration provision. This concept, supported by prior decisions, suggests that while consumers may choose not to read the terms, the availability of these terms still binds them legally, as they are considered to have been given sufficient notice.

For background, arbitration offers a practical alternative to the costly and time-consuming nature of court litigation. It is favored by many larger entities for its ability to circumvent protracted trial procedures, maintain the privacy of legal disputes, and allow involved parties to have a hand in selecting the arbitrator. Traditionally, the inclusion of class action waivers within arbitration clauses can deter the amalgamation of individual claims into a single, large-scale lawsuit. These advantages, combined with class action waivers, are particularly appealing to businesses aiming to reduce the financial and reputational risks associated with data breach lawsuits, which often involve extensive class sizes and substantial potential for reputational harm. However, recent developments have made arbitration less enticing with respect to the current surge in mass arbitration cases where thousands of identical claims from consumers or employees are filed against companies. This movement is propelled by a savvy group of plaintiff lawyers who are increasing the use of data breach and privacy class numbers to strong-arm settlements as an alternative to incurring single plaintiff arbitration fees for thousands of cases.

As the legal landscape surrounding mass arbitrations evolves, there are proactive measures a company can take to mitigate these risks. However, for these strategies to be effective, they need to be implemented before the company is notified of a mass arbitration. Companies must carefully revise their arbitration agreements to avoid any provisions that could be deemed unconscionable, potentially jeopardizing the entire agreement. Instituting a pre-dispute resolution process with mandatory individualized conferences before arbitration can ensure that only serious claims proceed, potentially decreasing costs. Additionally, requiring claimants to submit individual requests for arbitration with comprehensive details about the claim and a good faith estimate of the dispute amount can help deter baseless claims. Modifying cost-splitting provisions to remove blanket commitments to cover arbitration filing fees and introducing the possibility of fee shifting for frivolous claims can further protect companies. Moreover, adopting a clause for batch arbitration, where similar claims filed simultaneously are consolidated into manageable groups, can streamline the resolution process and benefit both companies and consumers by enabling more efficient adjudication with reduced administrative burdens. These measures, carefully tailored to comply with applicable laws and arbitration rules, can significantly mitigate the risks associated with mass arbitration scenarios.

It’s important to note that not every arbitration clause and class action waiver holds up legally. Errors and oversights can elevate the likelihood of a company having to face a class action lawsuit in court, despite efforts to circumvent such scenarios through waivers. This case is a clear reminder of the need for businesses to use terms and conditions effectively. By ensuring that these legal agreements are clearly communicated and accessible, companies can better protect themselves from legal disputes.

Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.

Listen to this post

A recently introduced bill in the Florida Legislature would provide businesses operating in Florida, including health care providers, with a legal defense to data breach lawsuits if they maintain robust cybersecurity measures that meet government- and industry-recognized standards. Specifically, Florida House Bill No. 473 (H.B. 473), known as the Cybersecurity Incident Liability Act, was introduced and reported favorably in the Commerce Committee on Jan. 23, 2024, to provide a much-needed safe harbor from liability for businesses that implement sensible, industry-recognized cybersecurity measures. This act aims to incentivize businesses to achieve a higher level of cybersecurity by maintaining a cybersecurity program that substantially complies with industry-recommended frameworks.

Businesses that achieve substantial compliance with recognized frameworks outlined in H.B. 473 would be entitled to a “legal safe harbor,” which could be used as an affirmative defense against tort claims arising from data breaches linked to alleged failures to adopt reasonable cybersecurity measures.

Alexis Buese, a key member of Bradley’s Class Action Litigation team based in Tampa, played a pivotal role in introducing the bill by providing crucial testimony on behalf of the health care industry in favor of H.B. 473 before the Commerce Committee. Bradley has consistently been at the forefront of advocating for innovative solutions that empower businesses to mitigate unnecessary class action exposure. With H.B. 473, the approach to liability becomes proactive, encouraging businesses to enhance their cybersecurity practices while offering incentives for upscaling their security measures.

Safe Harbor Details

H.B. 473’s “safe harbor” does not grant blanket immunity to a business facing a data breach lawsuit. Rather, it specifically applies only to tort claims, such as negligence, and businesses seeking to utilize the safe harbor must plead it as an affirmative defense in a lawsuit and demonstrate that their cybersecurity program complies with the law’s requirements. Importantly, the safe harbor does not extend to contract-based claims arising from disputes with vendors or customers involving contractual relationships.

It’s important to note that H.B. 473 does not establish a minimum cybersecurity standard that businesses must achieve. Instead, it encourages businesses to adopt and maintain cybersecurity programs in substantial compliance with industry-recognized frameworks without imposing liability on those that do not.  The frameworks recognized by H.B. 473 include the following:

  • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
  • NIST special publication 800-171
  • NIST special publication 800-53 and 800-53a
  • The Federal Risk and Authorization Management Program security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls
  • The International Organization for Standardization/International Electrotechnical Commission 27000- series (ISO/IEC 27000) family of standards

Additionally, H.B. 473 also considers cybersecurity programs substantially aligned with federal requirements, including the following:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security requirements in 45 CFR part 160 and part 164, subparts A and C
  • The Health Information Technology for Economic and Clinical Health Act requirements in 45 CFR parts 160 and 164
  • Gramm-Leach-Bliley
  • The Federal Information Security Modernization Act of 2014

Notably, H.B. 473 takes a flexible approach to cybersecurity, considering various business-specific factors in determining the necessary scale and scope of a cybersecurity program to determine substantial alignment with standards recognized in the bill. These factors include the size, complexity, and nature of the business and its activities, the sensitivity of the personal information it holds, the availability and cost of security improvement tools, and the resources available for cybersecurity efforts.

What Does This Mean for Companies in Florida?

While H.B. 473 is not yet law, it signifies a positive step forward in recognizing and rewarding businesses that proactively adopt and maintain robust cybersecurity programs. As we move into the future, companies of all types and sizes, across various industries in Florida, should take the opportunity to assess the confidentiality, proprietary nature, personal data, or other sensitive information they hold. It is crucial to review and evaluate the effectiveness of your privacy and security measures. This evaluation should encompass the organization’s overall culture concerning privacy and security, ensuring that both the leadership and employees are adequately focused on these critical issues.

Furthermore, businesses should conduct thorough risk assessments to identify vulnerabilities and areas at risk, implement additional security measures to mitigate these risks, review and enhance existing policies and procedures, establish a tested incident response plan, and update employee training to address the latest cyber threats. This proactive approach to cybersecurity aligns with the objectives of H.B. 473 and can help businesses in Florida stay ahead in safeguarding their data and operations. If you have any questions about H.B. 473 or data privacy and cybersecurity matters generally, please contact Alexis Buese or Eric Setterlund.

Listen to this post

Ransomware attacks that shut business down to zero and data breaches that disclose the personal information of customers, vendors and employees justifiably strike fear in the hearts of executives everywhere. Organizations can suffer the reputational and financial consequences of these events for years to come. Due diligence in the current regulatory environment requires a plan for prevention and incident response.

But while ransomware and data breaches grab the headlines, business email compromise is overall the most prevalent and costly form of cybercrime. That’s because business email compromise is occurring every minute of every day. It’s a cybercriminal’s low hanging fruit.

Even the most sophisticated among us has been fooled by cybercriminals’ ever-more-savvy social engineering. Fraudsters can pose as a business partner more credibly than ever, through use of deceptively similar email addresses, alteration of the company’s real email chains, and alteration of familiar business forms. They learn the context of the financial transaction at issue in advance so they can cloak the crime in familiarity and take advantage of our reliance on email to get things done quickly. Millions in company funds have been unwittingly wired to fraudsters’ bank accounts, with discovery of the fraud occurring too late for claw back.

An Ounce of Prevention Is Worth a Pound of Cure

Combatting losses from business email compromise is straightforward. Institute an internal procedure for verification of authenticity prior to making payments, and regularly train your employees on social engineering techniques.

Many insurance policies covering social engineering losses require proof of such internal procedures and training as conditions of coverage. The limits available may also be insufficient to cover the entire loss. If sufficient coverage is unavailable, liability for diverted payments is typically apportioned to the party who was in the best position to avoid the loss.

Payment verification procedures and employee training – along with basic cybersecurity measures such as two-factor log-on identification and social engineering insurance – go a long way toward protecting the company’s bottom line from fraudsters and consequential harm to business relationships.

Listen to this post

The Florida Telephone Solicitation Act (FTSA), effective July 1, 2021, has undergone significant amendments as of May 25, 2023, reshaping the legal landscape for businesses in Florida. Initially, the FTSA created a private right of action for unwanted calls and texts, leading to over 500 complaints within a year. To clarify the FTSA’s ambiguities, Florida legislators introduced new bills, resulting in Gov. Ron DeSantis signing HB 761 into law, modifying the FTSA to bring more clarity for businesses contacting consumers via calls and texts. One crucial aspect of the amendment is its applicability to cases without granted class certification as of the amendment’s effective date. This change aimed to address the surge in “gotcha” litigation. Despite arguments from the plaintiff’s bar challenging the amendment’s constitutionality, two recent court decisions have upheld its validity. This blog post will discuss the implications that these decisions may have on the future landscape of the FTSA in Florida.

The FTSA

Effective July 1, 2021, the FTSA created a private right of action for consumers who receive unwanted calls and text messages. The FTSA applies to any business sending inbound text or calls into Florida, even if they are not organized under Florida law and have no physical presence in Florida. The FTSA removed many of the protections that businesses rely upon in defending claims under the Telephone Consumer Protection Act (TCPA). The FTSA prohibits the use of certain automated dialers to call (or text) consumers without their consent and enables consumers to recover $500 per call. Those damages are trebled for willful violations, resulting in a maximum potential liability of $1,500 per call. 

The FTSA triggered a host of lawsuits and caused numerous challenges due to its ambiguity. The FTSA was thus amended in 2023. 

The Amendment

The definition of an “auto-dialer” was substantially narrowed. The original FTSA language described an “automated system” as a tool for either “selection or dialing” of phone numbers. The updated definition shifts to “selection and dialing,” tightening the criteria for what constitutes an “auto-dialer.” As amended, a violation of the FTSA would only occur where the automated system is used to both select and dial telephone numbers.  This clarifies that calling technology must meet a two-part test to qualify as an automated system.

The FTSA originally prohibited “telephonic sales calls” if it involved the use of an automated system for the selection or dialing of phone numbers. This created ambiguity as to whether the prohibition applied to calls made pursuant to a nonwritten request to be called, such as inbound calls from a consumer. The amendment clarifies that the prohibition applies to certain “unsolicited” telephonic sales calls. Unsolicited calls, among other things, are calls made other than in response to an express request of the person called or to a person with whom the telephone solicitor has a prior or existing business relationship. 

Additionally, the amendments introduce a 15-day opt-out period for text message communications. Before initiating legal action over unsolicited texts, consumers must respond with a “STOP” message. The sender then has 15 days to cease sending texts, except for a confirmation of the opt-out. Legal action is permissible only if the sender fails to comply after this period. This provision significantly diminishes the legal exposure for marketers sending text messages in Florida, underscoring the importance of diligently recording and respecting opt-out requests.

Significantly, under Section 2, the amended FTSA applies “to any suit filed on or after the effective date of this act and to any putative class action not certified on or before the effective date of this act.” The effective date of the amended FTSA is May 25, 2023.

Recent Decisions Upholding the FTSA Amendment

In Holton v. eXp Realty, LLC, CASE NO. 8:23-cv-734-SDM-AEP (M.D. Fl. Dec. 28, 2023), the plaintiff, on behalf of himself and putative class members, sued eXp Realty, LLC, and alleged that eXp’s text messages violated FTSA. eXp argued that because Holton never alleged replying “STOP” and because Holton failed to certify his class action on or before May 25, 2023, the amended FTSA bared both Holton’s individual claim and his class action. The plaintiff responded that “retroactively” applying the amended FTSA unconstitutionally infringed his and each class member’s vested rights. The defendant countered that the plaintiff enjoys no vested right to represent a class.

The court reasoned that “the amended FTSA’s application to a class is wholly prospective and the amended FTSA applies only to a class certified after May 25, 2023.” Because the plaintiff’s class remains uncertified and he fails to allege that each member of his proposed class replied “STOP” to an unsolicited message, the amended FTSA bars the plaintiff’s class action. The court further noted that “Holton possesses no vested and inviolable right to represent a class.” And, similarly, “the proposed class members hold no vested and inviolable right, free from lawfully imposed requirements, to coalesce and litigate as a class.” The court thus remanded to state court as the Class Action Fairness Act (CAFA) no longer supported subject matter jurisdiction.

In a different case recently heard in state court, Leigue v. Everglades College, Inc. (Case No. 2022-008872-CA-01), the court also faced a legal challenge against the amended FTSA. The contention in that case was that the amendment unconstitutionally overstepped by improperly regulating procedural law. The court ultimately determined it was precluded from considering constitutional challenges when the defendant failed to promptly serve the attorney general with notice of the constitutionality challenge. Although the court declined to rule, it did take time to point out that it “agrees with Defendant that even if Section 768.734 contains some procedural aspects, Florida courts have consistently upheld the constitutionality of statutes containing both substantive and procedural provisions.”

Conclusion

Businesses currently entangled in class action lawsuits under the FTSA should take full advantage of the recent FTSA amendment. These legal shifts offer valuable tools for navigating the complexities of such litigation. Additionally, it is crucial for businesses engaged in consumer texting to diligently maintain records of opt-outs. This practice is essential not only for compliance but also as a strategic measure to mitigate the risk of future class action exposure under the FTSA. As the legal landscape continues to evolve, proactive and informed management of these issues will be key for businesses operating in this space.

Listen to this post

On December 13, 2023, the Federal Communications Commission (FCC) ushered in a new era by enacting transformative rules, marked by a 4-1 vote, aimed at addressing what it viewed as the lead generation loophole.  The FCC’s Second Report and Order, released on November 22, 2023, was poised to signify a monumental shift in lead generation practices, mandating prior express written consent for calls or texts specifically on behalf of one seller at a time.  Despite voracious opposition from small business and industry groups, the FCC adopted Report and Order.  With six months to become compliant, this blog post delves into an analysis of the implications of these new rules on lead generation practices, offering insights into the components of the adopted Report and Order, legal implications, and concluding with recommendations for businesses navigating this evolving regulatory landscape.

Key Components

Lead generation has long been the secret sauce for connecting with potential customers. Lead generation on comparison shopping websites involves users sharing preferences and contact details, which are then converted into leads. These leads are subsequently relayed to relevant businesses, enabling them to engage with potential customers. The overarching aim is to nurture these leads through effective follow-up, providing additional information, and ultimately converting interested users into customers, a process applicable to various industries and lead generation platforms.

However, enter the FCC’s new rules, and the landscape undergoes a seismic transformation. On December 13, 2023, the FCC voted 4-1 to enact the Proposed Rules, limiting consent to one-to one, allowing the blocking of “red flagged” robotexting numbers, codifying do-not-call rules for texting, and promoting an opt-in approach for delivering email-to-text messages. These changes are set to take effect six months after enactment.

Once the new rules take effect, businesses will be required to secure a consumer’s prior express written consent, but here’s the twist – exclusively for calls and texts initiated through an automatic telephone dialing system (ATDS), prerecorded message, or artificial voice, and limited to “a single seller at a time.” This isn’t just a rule; it’s a game-changing move that reshapes how consumers provide consent in a world brimming with lead generation and comparison-shopping websites. Obtaining consent individually for each seller involved in lead generation can be administratively complex and inefficient. It requires a separate process for each seller, potentially leading to a cumbersome experience for both businesses and consumers.

Report and Order Insights

The recently embraced FCC Report and Order redefines the landscape for marketing calls and texts. Here’s a detailed exploration of the pivotal legal aspects:

First, the FCC orchestrated a paradigm shift, requiring businesses to secure a consumer’s prior express written consent from a single seller. This marks a departure from the past, emphasizing the need for distinct consents even in a digital marketplace teeming with multiple sellers.

While lead generators enjoy some flexibility, constraints accompany the privilege. The expectation is that consumers can consent to multiple sellers on a single page, but the FCC demands a direct, explicit mechanism, sidelining the efficacy of mere hyperlinks.

Transparency takes center stage as the FCC underscores the necessity for clear and conspicuous disclosures. Sellers must now possess concrete evidence of consent, moving away from reliance on lead generators for proof.

For the first time, the FCC asserts that calls and texts to DNC Registry numbers necessitate prior express invitation or permission, substantiated by a signed, written agreement.

Terminating providers now shoulder the responsibility of blocking all texts from specified numbers upon FCC notification. The “block-upon-notice” requirement reshapes provider responsibilities, elevating vigilance to a new level.

Finally, while not mandatory, the FCC nudges businesses towards adopting email-to-text as an opt-in service. The prospect of a potential rulemaking looms on the horizon, hinting at a transformative shift in email-to-text compliance.

Practical Steps Forward

Considering these regulatory changes, it is crucial for businesses to proactively reassess their lead generation practices and vendor relationships, particularly under the guidance of experienced legal counsel, such as Bradley. The granted six-month implementation period provides a window of opportunity for businesses to conduct thorough investigations and align with these new regulations. In anticipation of an expected wave of TCPA class action lawsuits, working closely with seasoned Bradley counsel will help businesses adopt a strategic and compliant approach to lead generation. This proactive stance ensures that businesses are well-prepared to navigate the dynamic and evolving regulatory framework.

If you have any questions about this transformative new FCC rule, please do not hesitate to reach out to Alexis Buese.

Listen to this post

The Department of Health & Human Services (HHS) released a concept paper outlining its strategy for improving cybersecurity infrastructure within the healthcare sector. The paper calls for proposing healthcare-specific cybersecurity performance goals that will include both minimum foundational practices and advanced goals for cybersecurity performance. By centralizing these performance goals into the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), HHS hopes to provide clear directives for stakeholders. This paper comes on the heels of the White House’s March National Cybersecurity Strategy and HHS’s April 2023 Hospital Cyber Resiliency Landscape Analysis.

HHS initially intends to incentivize the adoption of these performance goals by working with Congress to increase funding, develop incentives, and increase enforcement authority to improve cybersecurity. Specifically, HHS has stated that it will take the following concurrent steps:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector
  2. Provide resources to incentivize and implement these cybersecurity practices
  3. Implement an HHS-wide strategy to support greater enforcement and accountability
  4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

Notably, HHS will also seek to incorporate the HPH CPGs into existing regulations and programs, including (1) by working with CMS to adopt new cybersecurity requirements for hospitals participating in Medicare and Medicaid; and (2) through proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in Spring 2024. These revisions are notable in that HIPAA’s security standards have not been revised in over 18 years, and hospitals would be subject to compliance surveys from state health departments and The Joint Commission (TJC) pursuant to the Medicare Conditions of Participation for Hospitals.

Bradley will continue to monitor this development and provide updates as HHS moves forward with these implementation strategies.

Listen to this post

A previous installment discussed the centrality of network topology to an organization’s data security and outlined the legal framework and obligations incumbent upon many organizations in the U.S. The first installment can be found here. The second and final part of this series will discuss strategies for optimizing network topology and data security, focusing on the NIST Cybersecurity Framework as one of several security frameworks with broad industry recognition.

The NIST Cybersecurity Framework is a voluntary set of standards, guidelines, and best practices for improving the security and resilience of critical infrastructure sectors. It was developed by the National Institute of Standards and Technology (NIST) in collaboration with various stakeholders from the public and private sectors, and it is widely recognized as a valuable tool for enhancing data security practices across different industries and organizations. Network topology plays a pivotal role within this framework, as it is the foundational blueprint upon which the security measures are built.

Five Functions of the NIST Framework

For each of the five core functions of the NIST Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover – network topology influences the implementation and performance of the corresponding subcategories. Network topology helps organizations identify and protect their network assets and data, detect and respond to network incidents, and recover from network breaches. Some examples are:

  • Identify (ID) Function: This function involves developing an organizational understanding of the systems, assets, data, and capabilities that must be protected. Network topology supports this function by helping organizations inventory their physical devices and systems (ID.AM-1), map their organizational communication and data flows (ID.AM-3), and identify their network boundaries (ID.BE-5).
  • Protect (PR) Function: This function involves developing and implementing appropriate safeguards to ensure the delivery of critical services. Network topology helps organizations protect the integrity of their network (PR.AC-5), implement network segmentation (PR.AC-6), encrypt data in transit and at rest (PR.DS-2), and manage network access rights (PR.AC-1).
  • Detect (DE) Function: This function involves developing and implementing appropriate activities to identify the occurrence of a cybersecurity event, with network topology supporting the monitoring network activity (DE.AE-1), detecting anomalies and events (DE.AE-2), and implementing continuous monitoring capabilities (DE.CM-1).
  • Respond (RS) Function: This function involves developing and implementing appropriate activities to take action regarding a detected cybersecurity event. Network topology helps organizations analyze network incidents (RS.AN-1), contain network incidents (RS.CO-1), eradicate network incidents (RS.ER-1), and communicate network incidents internally and externally (RS.CO-2).
  • Recover (RC) Function: This function involves developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Network topology aids organizations to restore network services (RC.RP-1), improve network recovery planning (RC.IM-1), and incorporate lessons learned from network incidents (RC.IM-2).

Maintaining a secure network topology in alignment with the NIST Cybersecurity Framework can be challenging for organizations due to the complexity and diversity of network environments, the evolving nature of cyber threats, and the variability of legal standards. In consideration of these complexities, organizations can be guided by some best practices, such as:

  • Conducting regular risk assessments to identify and prioritize network vulnerabilities and threats.
  • Updating network diagrams and documentation to reflect changes in network configuration, devices, data, and legal requirements.
  • Implementing industry-standard security controls, such as firewalls, antivirus software, encryption, authentication, authorization, etc., to protect network assets and data.
  • Using network discovery tools, diagramming software, and monitoring systems to automate and simplify the network mapping process.
  • Training employees on security awareness and best practices for using network resources.

FTC Endorsement of the NIST Framework

The Federal Trade Commission (FTC), the primary federal agency responsible for protecting consumers and promoting competition, has recognized the value and consistency of the NIST Framework with its approach to data security, acknowledging its usefulness and relevance for businesses of all sizes and sectors, without formally endorsing it. The NIST Framework is aligned with the FTC’s data security guidance and enforcement actions, which are based on a case-by-case evaluation of the reasonableness of data security practices, considering factors such as the nature and size of the business, the sensitivity and volume of the data, and the availability and cost of tools to improve security and reduce vulnerabilities. The FTC has recognized the NIST Framework in various official publications, statements, and collaborative efforts with NIST. Some examples are:

  • The FTC published a blog post explaining how the NIST Framework is consistent with the FTC’s data security guidance, summarized in its “Start with Security” initiative. The blog post links other resources to help businesses implement the NIST Framework.
  • The FTC’s “Data Breach Response: A Guide for Business” mentions the NIST Framework as one of several sources of additional information on data security. The guide provides practical advice on effectively preparing for and responding to data breaches.
  • In various congressional testimonies, the FTC chairperson has acknowledged the relevance and usefulness of the NIST Framework for improving data security. The chair also highlighted the FTC’s collaboration with NIST on developing standards and guidelines for privacy and consumer protection, such as the Privacy Framework and the Consumer Privacy Bill of Rights.

Cross-Mapping the NIST Framework with Data Security Standards

Network topology not only assists with implementing the NIST Cybersecurity Framework, it also supports compliance with various information security standards that apply to different sectors and contexts. Several of the NIST Framework’s core functions, such as “Identify” and “Protect,” require organizations to understand their network layout, assets and vulnerabilities. Network topology directly supports these functions by identifying and prioritizing critical assets, assessing risks, and implementing protective measures. These standards provide specific controls and guidelines directly related to network topology and mapping and help organizations achieve data security objectives such as confidentiality, integrity, availability, accountability, and resilience. These standards are:

Center for Internet Security (CIS) Controls: These universally recognized controls provide actionable guidance for enhancing an organization’s cybersecurity stance. Network topology intertwines closely with CIS Control 1 (Inventory and Control of Hardware Assets) and Control 2 (Inventory and Control of Software Assets). Accurate mapping of network assets and their configurations is central to these controls, specifically aligning with CIS Control 1.1 (Active Physical Asset Inventory) and CIS Control 2.1 (Inventory of Authorized and Unauthorized Software).

COBIT 2019: The COBIT framework aids organizations in governing and managing enterprise IT, aligning IT with business objectives. Network topology is particularly relevant within the COBIT control framework, notably in Control APO12 (Managed Business Process Controls) and Control DSS02 (Manage Service Requests and Incidents). Accurate network mapping substantiates COBIT’s objectives by facilitating efficient resource allocation, directly supporting Control APO12.05 (Managed Business Process Controls Monitoring and Reporting), and enhancing risk management, aligning with Control DSS02.03 (Incident and Service Request Data).

ISA Standards: The International Society of Automation has formulated standards such as ISA-95 (Enterprise-Control System Integration) and ISA-99 (Industrial Automation and Control Systems Security). In industrial contexts, network topology is pivotal for securing process control systems. Notably, ISA-99 includes standards such as ISA-99-02-01 (Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control System Security Program) and ISA-99-02-02 (Security for Industrial Automation and Control Systems: Technical Security Requirements for Industrial Automation and Control Systems), which emphasize the critical role of network topology in ensuring the security of these systems.

ISO/IEC 27001:2017: The ISO 27001 standard concerns information security management systems (ISMS). Network topology is pivotal in ISO 27001, particularly in Control A.12.1.1 (Control Objective: Control of Network Perimeter), which mandates assessing and managing network security risks. Additionally, Control A.12.1.2 (Control Objective: Management of Security in Networks) underscores the importance of secure network management, reinforcing the relevance of network topology.

NIST SP 800-53 Rev.5: This exhaustive catalog of security and privacy controls for federal information systems and organizations encompasses controls deeply rooted in network-centricity. Specifically, NIST SP 800-53 Rev.5 includes control families such as “Access Control” (AC) and “Audit and Accountability” (AU), which directly involve knowledge of network topology. Control AC-2 (Account Management) and Control AU-4 (Audit Storage Capacity) emphasize the importance of network configuration and monitoring. Additionally, Control AC-17 (Remote Access) addresses secure network access, highlighting the indispensable role of network topology knowledge. These controls harmonize seamlessly with the NIST Cybersecurity Framework, further underlining the significance of network topology in government and private-sector cybersecurity initiatives.

Network Topology Optimization for Data Security

Optimizing network topology for data security is an ongoing process that requires constant monitoring, evaluation, and improvement as organizations work towards efficiency, scalability, reliability, and security. Here are some strategies for optimizing network topology for data security:

  • Network Segmentation: Network segmentation involves dividing the network into smaller subnetworks or segments based on function, location, or access level criteria. This strategy reduces the network’s attack surface by limiting the exposure of sensitive data and devices to unauthorized users or malicious actors. It also improves network performance by reducing congestion and latency.
  • Network Isolation: Network isolation involves creating separate networks for different purposes or data types. This strategy enhances the security of sensitive data by preventing interaction or communication between networks that are not authorized or necessary. It also reduces the risk of network compromise by isolating potential sources of infection or intrusion.
  • Network Encryption: Network encryption involves using cryptographic techniques to protect data in transit over the network from unauthorized access or modification. This strategy ensures the confidentiality and integrity of data by preventing eavesdropping or tampering by third parties. It also protects against man-in-the-middle attacks by verifying the identity of network endpoints.
  • Network Access Control: Network access control involves policies and mechanisms regulating who can access what on the network. This strategy enforces the principle of least privilege by granting only the minimum level of access required for each user or device to perform their tasks. It also prevents unauthorized access by requiring authentication, authorization, and accounting for network resources.
  • Network Monitoring: Network monitoring involves collecting and analyzing network activity and performance data. This strategy enables the detection and prevention of network anomalies and incidents by providing visibility into network traffic, devices, and configurations. It also supports network optimization by identifying and resolving network issues, bottlenecks, or inefficiencies.

Conclusion

Data security is a top concern for organizations in today’s digital landscape. It protects data from unauthorized access, use, modification, or disclosure. Data security requires implementing technical, administrative, and physical measures to safeguard data from internal and external threats. Network topology and network mapping can strengthen data security strategy. They provide a comprehensive view of the organization’s digital infrastructure. Network topology and mapping also can be aligned with various legal frameworks and standards that regulate data security and privacy. Organizations can develop and implement tailored security strategies that address specific vulnerabilities and risks, leveraging the information gained through network topology and mapping, guiding data security practices and meeting compliance requirements.