Listen to this post

A significant shift in cybersecurity compliance is on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a Notice of Proposed Rulemaking (NPRM) on April 4, 2024. This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report specific cyber incidents and ransom payments to CISA within defined timeframes.

Background

Back in March 2022, President Joe Biden signed CIRCIA into law. This was a big step towards improving America’s cybersecurity. The law requires CISA to create and enforce regulations mandating that covered entities report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share crucial information with network defenders to prevent other potential attacks.

The proposed rule is open for public comments until July 3, 2024. After this period, CISA has 18 months to finalize the rule, with an expected implementation date around October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM, highlighting its key points from the detailed Federal Register notice.

Cyber Incident Reporting Initiatives

CIRCIA includes several key requirements for mandatory cyber incident reporting:

  • Cyber Incident Reporting Requirements – CIRCIA mandates that CISA develop regulations requiring covered entities to report any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing – Any federal entity receiving a report on a cyber incident after the final rule’s effective date must share that report with CISA within 24 hours. CISA will also need to make information received under CIRCIA available to certain federal agencies within the same timeframe.
  • Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize federal incident reporting requirements.

Ransomware Initiatives

CIRCIA also authorizes or mandates several initiatives to combat ransomware:

  • Ransom Payment Reporting Requirements – CISA must develop regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments due to a ransomware attack. These reports must be shared with federal agencies similarly to cyber incident reports.
  • Ransomware Vulnerability Warning Pilot Program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of these systems.
  • Joint Ransomware Task Force – CISA has announced the launch of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

Scope of Applicability

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” encompass more than just owners and operators of critical infrastructure systems and assets. Entities actively participating in these sectors might be considered “in the sector,” even if they are not critical infrastructure themselves. Entities uncertain about their status are encouraged to contact CISA.

Critical Infrastructure Sectors

CISA’s interpretation includes entities within one of the 16 sectors defined by Presidential Policy Directive 21 (PPD 21). These sectors include Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, Water and Wastewater Systems.

Covered Entities

CISA aims to include small businesses that own and operate critical infrastructure by setting additional sector-based criteria. The proposed rule applies to organizations falling into one of two categories:

  1. Entities operating within critical infrastructure sectors, except small businesses
  2. Entities in critical infrastructure sectors that meet sector-based criteria, even if they are small businesses

Size-Based Criteria

The size-based criteria use Small Business Administration (SBA) standards, which vary by industry and are based on annual revenue and number of employees. Entities in critical infrastructure sectors exceeding these thresholds are “covered entities.” The SBA standards are updated periodically, so organizations must stay informed about the current thresholds applicable to their industry.

Sector-Based Criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For instance, in the information technology sector, the criteria include:

  • Entities providing IT services for the federal government
  • Entities developing, licensing, or maintaining critical software
  • Manufacturers, vendors, or integrators of operational technology hardware or software
  • Entities involved in election-related information and communications technology

In the healthcare and public health sector, the criteria include:

  • Hospitals with 100 or more beds
  • Critical access hospitals
  • Manufacturers of certain drugs or medical devices

Covered Cyber Incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, serious impacts on operational system safety and resiliency, disruption of business or industrial operations, and unauthorized access due to third-party service provider compromises or supply chain breaches.

Significant Incidents

This definition covers substantial cyber incidents regardless of their cause, such as third-party compromises, denial-of-service attacks, and vulnerabilities in open-source code. However, threats or activities responding to owner/operator requests are not included. Substantial incidents include encryption of core systems, exploitation causing extended downtime, and ransomware attacks on industrial control systems.

Reporting Requirements

Covered entities must report cyber incidents to CISA within 72 hours of reasonably believing an incident has occurred. Reports must be submitted via a web-based “CIRCIA Incident Reporting Form” on CISA’s website and include extensive details about the incident and ransom payments.

Report Types and Timelines

  • Covered Cyber Incident Reports within 72 hours of identifying an incident
  • Ransom Payment Reports due to a ransomware attack within 24 hours of payment
  • Joint Covered Cyber Incident and Ransom Payment Reports within 72 hours for ransom payment incidents
  • Supplemental Reports within 24 hours if new information or additional payments arise

Entities must retain data used for reports for at least two years. They can authorize a third party to submit reports on their behalf but remain responsible for compliance.

Exemptions for Similar Reporting

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided an agreement exists between CISA and that agency. This agreement must ensure the reporting requirements are substantially similar, and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still being developed. Entities reporting to other federal agencies should stay informed about their progress to understand how they will impact their reporting obligations under CIRCIA.

Enforcement and Penalties

The CISA director can make a request for information (RFI) if an entity fails to submit a required report. Non-compliance can lead to civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information Protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protections against legal discovery and use in proceedings. Reports are exempt from Freedom of Information Act (FOIA) disclosures, and entities can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.

Business Takeaways

Although the rule will not be effective until late 2025, companies should begin preparing now. Entities should review the proposed rule to determine if they qualify as covered entities and understand the reporting requirements, then adjust their security programs and incident response plans accordingly. Creating a regulatory notification chart can help track various incident reporting obligations. Proactive measures and potential formal comments on the proposed rule can aid in compliance once the rules are finalized.

These steps are designed to guide companies in preparing for CIRCIA, though each company must assess its own needs and procedures within its specific operational, business, and regulatory context.

Listen to this post

In the middle of the 20th century, there was a massive expansion of the retail credit market. Everything from boats to sewing machines to kitchen appliances were bought and sold through increasingly complex credit arrangements. These credit arrangements would extinguish a consumer’s rights to dispute any terms of the contract once a loan was assigned, legally binding the consumer to pay the holder of the contract, even if the sale was fraudulent. These “cut off” clauses were considered standard, and consumers had no choice, as it was presented as a “take it or leave it” agreement.

In a recent lecture, the director of the Federal Trade Commission’s Bureau of Consumer Protection compared these credit contracts to the concept of notice and choice in today’s digital world of data collection and privacy concerns. The director characterized notice and choice as “weaponizing fine-print contractual provisions to shift risk and responsibility away from themselves and onto consumers.”

The director’s remarks focused on the commission’s response to these mid-century credit contract provisions by implementing the Holder Rule. This rule reallocated the risk of misconduct by sellers, allowing consumers to assert claims and defenses against any holder of the loan. The result of this rule created incentives for creditors to self-police the retail market, as any subsequent creditor could now be held responsible for the originators bad acts.

The director went on to dispel the notion that this type of model, if applied to privacy concerns, would disrupt business and the digital marketplace by saying:

[D]espite dire warnings from industry, these changes did not make the sky fall or cause the credit market to dry up. Consumer credit continues to be very competitive, and the Holder Rule continues to provide fundamental protections that promote confidence in the lending system.

. . .

As the Holder Rule shows, well-designed government action does not distort the free market – it makes it work better. By properly aligning incentives and allocating legal responsibility, trust grows and firms can compete on value. To be clear, humility is an important virtue for regulators; unintended consequences, regulatory burden, and imperfect information are all ever-present concerns. But there are also risks to inaction, and the consequences of failing to act can leave the public worse off, especially when it allows businesses to shift the cost of misconduct onto consumers. We saw that in credit markets half a century ago, and we see it in our digital economy today.

See Toward a Safer, Freer, and Fairer Digital Economy, How Proactive Consumer Protection Can Make the Internet Less Terrible, Remarks of Samuel Levine, Fourth Annual Reidenberg Lecture, Fordham Law School, April 17, 2024.

The director concluded his remarks by emphasizing that the FTC is currently, and intends to continue to, take bold action and use every tool in its arsenal to protect privacy, combat online dark patterns and manipulation, and safeguard the public from other harms. The closing remarks signaled that the FTC intends to take further action to protect consumers’ privacy rights by moving away from notice and consent and placing the onus on businesses through legal remedies similar to those present in the Holder Rule.

Finally, the director did not say what an application of a Holder Rule analogue in the privacy space would look like in practice. However, this is certainly an area to stay abreast of, as the FTC becomes more active in this space and continues to look for ways to address these issues through its rulemaking authority.

Listen to this post

The healthcare sector is increasingly facing cyber-threats with ransomware and hacking at the forefront. In the last five years, there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Hacking alone was responsible for 79% of the major breaches reported to OCR in 2023. These breaches have had a profound impact, affecting over 134 million individuals in 2023 alone, marking a 141% increase from the previous year.  In response to rise in cyber-threats within the healthcare industry covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) should be proactive in aiming to mitigate or prevent the growing menace of cyber-attacks. This article will delve into OCR’s guidance, exploring the practical steps and measures that organizations can implement to bolster their cybersecurity defenses.

Cybersecurity Readiness

Cyberattacks dominated the news in 2023, with hacking and IT breaches impacting government bodies, leading corporations, and critical supply chains, including those for vital resources like gasoline. The healthcare sector faced an especially challenging year, as cybercriminals targeted hospitals and healthcare systems. On February 14, 2024, OCR released two Congressional Reports concerning compliance and enforcement under HIPAA.  These documents offer crucial insights for entities regulated by HIPAA aiming to bolster their compliance strategies.

OCR Director Melanie Fontes Rainer stated: “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.” Notably, as in previous years, hacking/IT incidents remain the largest category of breaches and affected the most individuals. Network servers continued as the largest category by location for breaches involving 500 or more individuals.

The breach reports that OCR received revealed common vulnerabilities and deficiencies. OCR was able to identify several areas of improvement for the sector tied to specific HIPAA Security Rule standards. OCR suggested that covered entities and business associates focus on improving compliance with the security management process standard, the audit controls standard, and response and reporting requirements.

Of note, while certain cyber-attacks leverage sophisticated techniques to exploit undiscovered vulnerabilities (known as zero-day attacks), the majority of cyber incidents according to OCR could be either prevented or significantly lessened if covered entities and business associates adhered to the HIPAA Security Rule. This includes safeguarding against prevalent attack methods such as phishing emails, the exploitation of existing vulnerabilities, and the use of weak authentication measures. In the event of a successful breach, attackers frequently encrypt electronic Protected Health Information (ePHI) for ransom purposes or steal the data for future malicious activities, including identity theft or extortion.

OCR recommends covered entities and business associates take the following best practices to mitigate or prevent cyber-threats:

  • Ensuring all partnerships with vendors and contractors are secured by appropriate business associate agreements that clearly outline responsibilities in case of a breach or security incident.
  • Embedding risk analysis and management into the core business practices, with regular assessments, particularly when adopting new technologies or altering business operations.
  • Establishing robust audit controls to document and scrutinize activity within information systems.
  • Conducting periodic reviews of information system activities to identify and mitigate potential risks.
  • Adopting multi-factor authentication measures to verify that only authorized individuals access protected health information.
  • Securing protected health information through encryption to prevent unauthorized access.
  • Learning from past security incidents to improve the overall security management strategy.
  • Offering targeted training that aligns with organizational and specific job requirements, emphasizing the essential role of all staff in upholding privacy and security standards, and ensuring such training is refreshed regularly.

Cybersecurity in 2024 And Beyond

Also, this month, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report outlining ways to improve privacy protections for Americans’ crucial health data.  This follows Senator Cassidy’s call last year for input from stakeholders on ways to strengthen the privacy protections of health data within the HIPAA framework, as well as to explore privacy measures for emerging health data sources. In the report, Senator Cassidy presents various recommendations to update the HIPAA framework, protect health data not currently covered by HIPAA, and address data that blurs the lines between health and non-health categories.  The report details that while for more than two decades, HIPAA has played a crucial role in safeguarding patient information, it has struggled to stay up-to-date with the rapid advancements in technology and the introduction of innovative tools that have become integral to modern healthcare. Stakeholders highlighted a pressing need for HIPAA to evolve. They argue that updates are essential for ensuring that patient information remains secure in an increasingly digitized healthcare ecosystem. This call for modernization reflects a broader recognition of the challenges and opportunities that lie ahead in protecting patient privacy in the digital age. 

In his report, Senator Cassidy notes that the United States does not have a comprehensive data privacy law and calls on Congress to fill the gap.  Unlike 2022, which saw the American Data Privacy and Protection Act (ADPPA) make notable progress in the House of Representatives, 2023 witnessed a lull in the push for a sweeping federal privacy statute. Nevertheless, 2024 holds the potential for renewed momentum in advancing the ADPPA (or a comparable proposal). President Joe Biden has notably urged Congress to enact bipartisan data privacy laws, reinforcing this call through a recent executive order on sensitive personal data.  Meanwhile, in the absence of any action on a federal privacy law, we anticipate additional states passing comprehensive privacy laws of their own in 2024.

Indeed, comprehensive privacy bills have been passed or nearly passed by legislatures in New Jersey and New Hampshire, thus far in 2024.  Additionally, as of March 31, 2024, Washington’s My Health My Data Act (MHMDA) will go into effect.  MHMDA is a pivotal health privacy legislation that establishes substantial compliance requirements for businesses handling health data not covered by HIPAA or federal part 2 rules. The significance of this legislation is heightened by its provision for a private right of action, where uncertainties within the law are more likely to be leveraged by plaintiffs’ attorneys.

CONCLUSION

The OCR reports are a clear reminder of the need for healthcare organizations to enhance cybersecurity preparedness. As healthcare organizations navigate the complexities of the digital age, the importance of cybersecurity cannot be overstated. By prioritizing preparedness, resilience, and a culture of cybersecurity awareness, healthcare organizations can not only protect themselves against the financial and reputational damage of cyber attacks but also, and most importantly, safeguard the well-being and privacy of the patients they serve. The journey towards comprehensive cybersecurity preparedness is ongoing, requiring vigilance, adaptability, and a unified effort to ensure the health and trust of the global community. Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.

Listen to this post

In 2023, the government and whistleblowers were party to 543 settlements and judgments — the highest number in a single year — collecting over $2.68 billion. After announcing its Civil Cyber-Fraud Initiative in October 2021, the Justice Department proved that the initiative is dedicated to using the FCA as a mechanism to hold federal contractors accountable who fail to follow federal cybersecurity requirements. Settlements in 2023 included allegations against companies for their failure to provide secure systems to customers, failure to provide secure hosting of personal information, and failure to properly maintain, patch, and update software systems. The Justice Department has made clear that cybersecurity is one of its key enforcement priorities in 2024 and moving forward, meaning all federal contractors must be particularly mindful of federal cybersecurity requirements. To keep you apprised of the current enforcement trends and the status of the law, Bradley’s Government Enforcement and Investigations Practice Group is pleased to present the False Claims Act: 2023 Year in Review, our 12th annual review of significant FCA cases, developments and trends.

Listen to this post

The frequency of class actions related to data breaches has significantly increased, with no indication that this upward trajectory will plateau. This raises the question: Are there more efficient alternatives to settling these disputes in the public eye of the courts? Moreover, is it possible to mitigate the financial burden associated with these legal battles? The short answer: Incorporating arbitration clauses and class action waivers into terms and conditions presents a viable strategy — if done correctly.

In a recent ruling by the Ninth Circuit, a significant message was sent to businesses about the critical nature of employing clear and effective website terms and conditions incorporating an arbitration clause and class action waiver. The case of Patrick v. Running Warehouse, LLC, — F.4th —- (2024), stemmed from a data breach in October 2021, leading to the alleged exposure of consumers’ personally identifiable information. The consumers’ attempt to bring forward class actions for negligence, breach of contract, and other claims against the retailer was met with a motion to compel arbitration.

The Ninth Circuit found that “Plaintiffs other than Craig Arcilla acknowledged seeing a hyperlink to the websites’ Terms of Use and therefore had inquiry notice of the arbitration provision.With respect to Arcilla, “the panel agreed with the district court’s finding that Defendant Running Warehouse’s website provided sufficient information to put him on inquiry notice. The website provided reasonably conspicuous notice of the Terms, and Arcilla manifested assent to the Terms by clicking the ‘Place Order’ button to complete his purchase.”

The ruling underscores the necessity for businesses to ensure that their terms of service are not only present but also prominently displayed and easily accessible to consumers. In this instance, the court noted that the plaintiffs had acknowledged seeing a hyperlink to the Terms of Service, placing them on “inquiry notice” of the arbitration provision. This concept, supported by prior decisions, suggests that while consumers may choose not to read the terms, the availability of these terms still binds them legally, as they are considered to have been given sufficient notice.

For background, arbitration offers a practical alternative to the costly and time-consuming nature of court litigation. It is favored by many larger entities for its ability to circumvent protracted trial procedures, maintain the privacy of legal disputes, and allow involved parties to have a hand in selecting the arbitrator. Traditionally, the inclusion of class action waivers within arbitration clauses can deter the amalgamation of individual claims into a single, large-scale lawsuit. These advantages, combined with class action waivers, are particularly appealing to businesses aiming to reduce the financial and reputational risks associated with data breach lawsuits, which often involve extensive class sizes and substantial potential for reputational harm. However, recent developments have made arbitration less enticing with respect to the current surge in mass arbitration cases where thousands of identical claims from consumers or employees are filed against companies. This movement is propelled by a savvy group of plaintiff lawyers who are increasing the use of data breach and privacy class numbers to strong-arm settlements as an alternative to incurring single plaintiff arbitration fees for thousands of cases.

As the legal landscape surrounding mass arbitrations evolves, there are proactive measures a company can take to mitigate these risks. However, for these strategies to be effective, they need to be implemented before the company is notified of a mass arbitration. Companies must carefully revise their arbitration agreements to avoid any provisions that could be deemed unconscionable, potentially jeopardizing the entire agreement. Instituting a pre-dispute resolution process with mandatory individualized conferences before arbitration can ensure that only serious claims proceed, potentially decreasing costs. Additionally, requiring claimants to submit individual requests for arbitration with comprehensive details about the claim and a good faith estimate of the dispute amount can help deter baseless claims. Modifying cost-splitting provisions to remove blanket commitments to cover arbitration filing fees and introducing the possibility of fee shifting for frivolous claims can further protect companies. Moreover, adopting a clause for batch arbitration, where similar claims filed simultaneously are consolidated into manageable groups, can streamline the resolution process and benefit both companies and consumers by enabling more efficient adjudication with reduced administrative burdens. These measures, carefully tailored to comply with applicable laws and arbitration rules, can significantly mitigate the risks associated with mass arbitration scenarios.

It’s important to note that not every arbitration clause and class action waiver holds up legally. Errors and oversights can elevate the likelihood of a company having to face a class action lawsuit in court, despite efforts to circumvent such scenarios through waivers. This case is a clear reminder of the need for businesses to use terms and conditions effectively. By ensuring that these legal agreements are clearly communicated and accessible, companies can better protect themselves from legal disputes.

Bradley has extensive expertise in guiding clients through mass arbitration claims and stands in a unique position to help businesses tailor dispute resolution clauses that best fit their specific requirements. If you have any inquiries regarding mass arbitration, we encourage you to contact any of the Bradley representatives listed below for further assistance.

Listen to this post

A recently introduced bill in the Florida Legislature would provide businesses operating in Florida, including health care providers, with a legal defense to data breach lawsuits if they maintain robust cybersecurity measures that meet government- and industry-recognized standards. Specifically, Florida House Bill No. 473 (H.B. 473), known as the Cybersecurity Incident Liability Act, was introduced and reported favorably in the Commerce Committee on Jan. 23, 2024, to provide a much-needed safe harbor from liability for businesses that implement sensible, industry-recognized cybersecurity measures. This act aims to incentivize businesses to achieve a higher level of cybersecurity by maintaining a cybersecurity program that substantially complies with industry-recommended frameworks.

Businesses that achieve substantial compliance with recognized frameworks outlined in H.B. 473 would be entitled to a “legal safe harbor,” which could be used as an affirmative defense against tort claims arising from data breaches linked to alleged failures to adopt reasonable cybersecurity measures.

Alexis Buese, a key member of Bradley’s Class Action Litigation team based in Tampa, played a pivotal role in introducing the bill by providing crucial testimony on behalf of the health care industry in favor of H.B. 473 before the Commerce Committee. Bradley has consistently been at the forefront of advocating for innovative solutions that empower businesses to mitigate unnecessary class action exposure. With H.B. 473, the approach to liability becomes proactive, encouraging businesses to enhance their cybersecurity practices while offering incentives for upscaling their security measures.

Safe Harbor Details

H.B. 473’s “safe harbor” does not grant blanket immunity to a business facing a data breach lawsuit. Rather, it specifically applies only to tort claims, such as negligence, and businesses seeking to utilize the safe harbor must plead it as an affirmative defense in a lawsuit and demonstrate that their cybersecurity program complies with the law’s requirements. Importantly, the safe harbor does not extend to contract-based claims arising from disputes with vendors or customers involving contractual relationships.

It’s important to note that H.B. 473 does not establish a minimum cybersecurity standard that businesses must achieve. Instead, it encourages businesses to adopt and maintain cybersecurity programs in substantial compliance with industry-recognized frameworks without imposing liability on those that do not.  The frameworks recognized by H.B. 473 include the following:

  • The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity
  • NIST special publication 800-171
  • NIST special publication 800-53 and 800-53a
  • The Federal Risk and Authorization Management Program security assessment framework
  • The Center for Internet Security (CIS) Critical Security Controls
  • The International Organization for Standardization/International Electrotechnical Commission 27000- series (ISO/IEC 27000) family of standards

Additionally, H.B. 473 also considers cybersecurity programs substantially aligned with federal requirements, including the following:

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) security requirements in 45 CFR part 160 and part 164, subparts A and C
  • The Health Information Technology for Economic and Clinical Health Act requirements in 45 CFR parts 160 and 164
  • Gramm-Leach-Bliley
  • The Federal Information Security Modernization Act of 2014

Notably, H.B. 473 takes a flexible approach to cybersecurity, considering various business-specific factors in determining the necessary scale and scope of a cybersecurity program to determine substantial alignment with standards recognized in the bill. These factors include the size, complexity, and nature of the business and its activities, the sensitivity of the personal information it holds, the availability and cost of security improvement tools, and the resources available for cybersecurity efforts.

What Does This Mean for Companies in Florida?

While H.B. 473 is not yet law, it signifies a positive step forward in recognizing and rewarding businesses that proactively adopt and maintain robust cybersecurity programs. As we move into the future, companies of all types and sizes, across various industries in Florida, should take the opportunity to assess the confidentiality, proprietary nature, personal data, or other sensitive information they hold. It is crucial to review and evaluate the effectiveness of your privacy and security measures. This evaluation should encompass the organization’s overall culture concerning privacy and security, ensuring that both the leadership and employees are adequately focused on these critical issues.

Furthermore, businesses should conduct thorough risk assessments to identify vulnerabilities and areas at risk, implement additional security measures to mitigate these risks, review and enhance existing policies and procedures, establish a tested incident response plan, and update employee training to address the latest cyber threats. This proactive approach to cybersecurity aligns with the objectives of H.B. 473 and can help businesses in Florida stay ahead in safeguarding their data and operations. If you have any questions about H.B. 473 or data privacy and cybersecurity matters generally, please contact Alexis Buese or Eric Setterlund.

Listen to this post

Ransomware attacks that shut business down to zero and data breaches that disclose the personal information of customers, vendors and employees justifiably strike fear in the hearts of executives everywhere. Organizations can suffer the reputational and financial consequences of these events for years to come. Due diligence in the current regulatory environment requires a plan for prevention and incident response.

But while ransomware and data breaches grab the headlines, business email compromise is overall the most prevalent and costly form of cybercrime. That’s because business email compromise is occurring every minute of every day. It’s a cybercriminal’s low hanging fruit.

Even the most sophisticated among us has been fooled by cybercriminals’ ever-more-savvy social engineering. Fraudsters can pose as a business partner more credibly than ever, through use of deceptively similar email addresses, alteration of the company’s real email chains, and alteration of familiar business forms. They learn the context of the financial transaction at issue in advance so they can cloak the crime in familiarity and take advantage of our reliance on email to get things done quickly. Millions in company funds have been unwittingly wired to fraudsters’ bank accounts, with discovery of the fraud occurring too late for claw back.

An Ounce of Prevention Is Worth a Pound of Cure

Combatting losses from business email compromise is straightforward. Institute an internal procedure for verification of authenticity prior to making payments, and regularly train your employees on social engineering techniques.

Many insurance policies covering social engineering losses require proof of such internal procedures and training as conditions of coverage. The limits available may also be insufficient to cover the entire loss. If sufficient coverage is unavailable, liability for diverted payments is typically apportioned to the party who was in the best position to avoid the loss.

Payment verification procedures and employee training – along with basic cybersecurity measures such as two-factor log-on identification and social engineering insurance – go a long way toward protecting the company’s bottom line from fraudsters and consequential harm to business relationships.

Listen to this post

The Florida Telephone Solicitation Act (FTSA), effective July 1, 2021, has undergone significant amendments as of May 25, 2023, reshaping the legal landscape for businesses in Florida. Initially, the FTSA created a private right of action for unwanted calls and texts, leading to over 500 complaints within a year. To clarify the FTSA’s ambiguities, Florida legislators introduced new bills, resulting in Gov. Ron DeSantis signing HB 761 into law, modifying the FTSA to bring more clarity for businesses contacting consumers via calls and texts. One crucial aspect of the amendment is its applicability to cases without granted class certification as of the amendment’s effective date. This change aimed to address the surge in “gotcha” litigation. Despite arguments from the plaintiff’s bar challenging the amendment’s constitutionality, two recent court decisions have upheld its validity. This blog post will discuss the implications that these decisions may have on the future landscape of the FTSA in Florida.

The FTSA

Effective July 1, 2021, the FTSA created a private right of action for consumers who receive unwanted calls and text messages. The FTSA applies to any business sending inbound text or calls into Florida, even if they are not organized under Florida law and have no physical presence in Florida. The FTSA removed many of the protections that businesses rely upon in defending claims under the Telephone Consumer Protection Act (TCPA). The FTSA prohibits the use of certain automated dialers to call (or text) consumers without their consent and enables consumers to recover $500 per call. Those damages are trebled for willful violations, resulting in a maximum potential liability of $1,500 per call. 

The FTSA triggered a host of lawsuits and caused numerous challenges due to its ambiguity. The FTSA was thus amended in 2023. 

The Amendment

The definition of an “auto-dialer” was substantially narrowed. The original FTSA language described an “automated system” as a tool for either “selection or dialing” of phone numbers. The updated definition shifts to “selection and dialing,” tightening the criteria for what constitutes an “auto-dialer.” As amended, a violation of the FTSA would only occur where the automated system is used to both select and dial telephone numbers.  This clarifies that calling technology must meet a two-part test to qualify as an automated system.

The FTSA originally prohibited “telephonic sales calls” if it involved the use of an automated system for the selection or dialing of phone numbers. This created ambiguity as to whether the prohibition applied to calls made pursuant to a nonwritten request to be called, such as inbound calls from a consumer. The amendment clarifies that the prohibition applies to certain “unsolicited” telephonic sales calls. Unsolicited calls, among other things, are calls made other than in response to an express request of the person called or to a person with whom the telephone solicitor has a prior or existing business relationship. 

Additionally, the amendments introduce a 15-day opt-out period for text message communications. Before initiating legal action over unsolicited texts, consumers must respond with a “STOP” message. The sender then has 15 days to cease sending texts, except for a confirmation of the opt-out. Legal action is permissible only if the sender fails to comply after this period. This provision significantly diminishes the legal exposure for marketers sending text messages in Florida, underscoring the importance of diligently recording and respecting opt-out requests.

Significantly, under Section 2, the amended FTSA applies “to any suit filed on or after the effective date of this act and to any putative class action not certified on or before the effective date of this act.” The effective date of the amended FTSA is May 25, 2023.

Recent Decisions Upholding the FTSA Amendment

In Holton v. eXp Realty, LLC, CASE NO. 8:23-cv-734-SDM-AEP (M.D. Fl. Dec. 28, 2023), the plaintiff, on behalf of himself and putative class members, sued eXp Realty, LLC, and alleged that eXp’s text messages violated FTSA. eXp argued that because Holton never alleged replying “STOP” and because Holton failed to certify his class action on or before May 25, 2023, the amended FTSA bared both Holton’s individual claim and his class action. The plaintiff responded that “retroactively” applying the amended FTSA unconstitutionally infringed his and each class member’s vested rights. The defendant countered that the plaintiff enjoys no vested right to represent a class.

The court reasoned that “the amended FTSA’s application to a class is wholly prospective and the amended FTSA applies only to a class certified after May 25, 2023.” Because the plaintiff’s class remains uncertified and he fails to allege that each member of his proposed class replied “STOP” to an unsolicited message, the amended FTSA bars the plaintiff’s class action. The court further noted that “Holton possesses no vested and inviolable right to represent a class.” And, similarly, “the proposed class members hold no vested and inviolable right, free from lawfully imposed requirements, to coalesce and litigate as a class.” The court thus remanded to state court as the Class Action Fairness Act (CAFA) no longer supported subject matter jurisdiction.

In a different case recently heard in state court, Leigue v. Everglades College, Inc. (Case No. 2022-008872-CA-01), the court also faced a legal challenge against the amended FTSA. The contention in that case was that the amendment unconstitutionally overstepped by improperly regulating procedural law. The court ultimately determined it was precluded from considering constitutional challenges when the defendant failed to promptly serve the attorney general with notice of the constitutionality challenge. Although the court declined to rule, it did take time to point out that it “agrees with Defendant that even if Section 768.734 contains some procedural aspects, Florida courts have consistently upheld the constitutionality of statutes containing both substantive and procedural provisions.”

Conclusion

Businesses currently entangled in class action lawsuits under the FTSA should take full advantage of the recent FTSA amendment. These legal shifts offer valuable tools for navigating the complexities of such litigation. Additionally, it is crucial for businesses engaged in consumer texting to diligently maintain records of opt-outs. This practice is essential not only for compliance but also as a strategic measure to mitigate the risk of future class action exposure under the FTSA. As the legal landscape continues to evolve, proactive and informed management of these issues will be key for businesses operating in this space.

Listen to this post

On December 13, 2023, the Federal Communications Commission (FCC) ushered in a new era by enacting transformative rules, marked by a 4-1 vote, aimed at addressing what it viewed as the lead generation loophole.  The FCC’s Second Report and Order, released on November 22, 2023, was poised to signify a monumental shift in lead generation practices, mandating prior express written consent for calls or texts specifically on behalf of one seller at a time.  Despite voracious opposition from small business and industry groups, the FCC adopted Report and Order.  With six months to become compliant, this blog post delves into an analysis of the implications of these new rules on lead generation practices, offering insights into the components of the adopted Report and Order, legal implications, and concluding with recommendations for businesses navigating this evolving regulatory landscape.

Key Components

Lead generation has long been the secret sauce for connecting with potential customers. Lead generation on comparison shopping websites involves users sharing preferences and contact details, which are then converted into leads. These leads are subsequently relayed to relevant businesses, enabling them to engage with potential customers. The overarching aim is to nurture these leads through effective follow-up, providing additional information, and ultimately converting interested users into customers, a process applicable to various industries and lead generation platforms.

However, enter the FCC’s new rules, and the landscape undergoes a seismic transformation. On December 13, 2023, the FCC voted 4-1 to enact the Proposed Rules, limiting consent to one-to one, allowing the blocking of “red flagged” robotexting numbers, codifying do-not-call rules for texting, and promoting an opt-in approach for delivering email-to-text messages. These changes are set to take effect six months after enactment.

Once the new rules take effect, businesses will be required to secure a consumer’s prior express written consent, but here’s the twist – exclusively for calls and texts initiated through an automatic telephone dialing system (ATDS), prerecorded message, or artificial voice, and limited to “a single seller at a time.” This isn’t just a rule; it’s a game-changing move that reshapes how consumers provide consent in a world brimming with lead generation and comparison-shopping websites. Obtaining consent individually for each seller involved in lead generation can be administratively complex and inefficient. It requires a separate process for each seller, potentially leading to a cumbersome experience for both businesses and consumers.

Report and Order Insights

The recently embraced FCC Report and Order redefines the landscape for marketing calls and texts. Here’s a detailed exploration of the pivotal legal aspects:

First, the FCC orchestrated a paradigm shift, requiring businesses to secure a consumer’s prior express written consent from a single seller. This marks a departure from the past, emphasizing the need for distinct consents even in a digital marketplace teeming with multiple sellers.

While lead generators enjoy some flexibility, constraints accompany the privilege. The expectation is that consumers can consent to multiple sellers on a single page, but the FCC demands a direct, explicit mechanism, sidelining the efficacy of mere hyperlinks.

Transparency takes center stage as the FCC underscores the necessity for clear and conspicuous disclosures. Sellers must now possess concrete evidence of consent, moving away from reliance on lead generators for proof.

For the first time, the FCC asserts that calls and texts to DNC Registry numbers necessitate prior express invitation or permission, substantiated by a signed, written agreement.

Terminating providers now shoulder the responsibility of blocking all texts from specified numbers upon FCC notification. The “block-upon-notice” requirement reshapes provider responsibilities, elevating vigilance to a new level.

Finally, while not mandatory, the FCC nudges businesses towards adopting email-to-text as an opt-in service. The prospect of a potential rulemaking looms on the horizon, hinting at a transformative shift in email-to-text compliance.

Practical Steps Forward

Considering these regulatory changes, it is crucial for businesses to proactively reassess their lead generation practices and vendor relationships, particularly under the guidance of experienced legal counsel, such as Bradley. The granted six-month implementation period provides a window of opportunity for businesses to conduct thorough investigations and align with these new regulations. In anticipation of an expected wave of TCPA class action lawsuits, working closely with seasoned Bradley counsel will help businesses adopt a strategic and compliant approach to lead generation. This proactive stance ensures that businesses are well-prepared to navigate the dynamic and evolving regulatory framework.

If you have any questions about this transformative new FCC rule, please do not hesitate to reach out to Alexis Buese.

Listen to this post

The Department of Health & Human Services (HHS) released a concept paper outlining its strategy for improving cybersecurity infrastructure within the healthcare sector. The paper calls for proposing healthcare-specific cybersecurity performance goals that will include both minimum foundational practices and advanced goals for cybersecurity performance. By centralizing these performance goals into the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), HHS hopes to provide clear directives for stakeholders. This paper comes on the heels of the White House’s March National Cybersecurity Strategy and HHS’s April 2023 Hospital Cyber Resiliency Landscape Analysis.

HHS initially intends to incentivize the adoption of these performance goals by working with Congress to increase funding, develop incentives, and increase enforcement authority to improve cybersecurity. Specifically, HHS has stated that it will take the following concurrent steps:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector
  2. Provide resources to incentivize and implement these cybersecurity practices
  3. Implement an HHS-wide strategy to support greater enforcement and accountability
  4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

Notably, HHS will also seek to incorporate the HPH CPGs into existing regulations and programs, including (1) by working with CMS to adopt new cybersecurity requirements for hospitals participating in Medicare and Medicaid; and (2) through proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in Spring 2024. These revisions are notable in that HIPAA’s security standards have not been revised in over 18 years, and hospitals would be subject to compliance surveys from state health departments and The Joint Commission (TJC) pursuant to the Medicare Conditions of Participation for Hospitals.

Bradley will continue to monitor this development and provide updates as HHS moves forward with these implementation strategies.