Category Archives: COVID-19

Electronic Signatures in NJ, NY, PA & FL: What You Need To Know

The COVID-19 pandemic rocked businesses with its required social distancing protocols and work from home mandates.  However, one silver lining to the unforeseen chaos generated by the pandemic is the benefit of being able to execute most documents from the safety of home.  Laws and guidance have been in place for years addressing electronic signatures, but the prevalence of their usage during the pandemic have led many states to enact their own laws.  The Uniform Electronics Transaction Act (UETA) provides guidelines that most states have adopted to determine the legality of electronic signatures in certain commercial and government transactions, and the Electronic Signatures in Global and National Commerce Act (ESIGN Act) established the legality of certain electronic contracts in interstate and global commerce.  Below is a quick primer on the respective New Jersey, New York, Pennsylvania and Florida statutes surrounding electronic signatures, a tool that has become increasingly important over the past year.

New Jersey

New Jersey enacted an electronic signature statute largely mirroring the UETA.  N.J.S.A. § 12A:12-1 et seq.  New Jersey transactions are not subject to this law to the extent they are governed by laws concerning: (i) the creation and execution of wills, codicils or testamentary trusts; (ii) the UCC, with exceptions; (ii) adoption, divorce or other matters of family law; (iv) court orders or official court documents; (v) notices of the cancellation of termination of utility services; (vi) the default, acceleration, repossession, foreclosure or eviction, or (vii) the right to cure an individual’s primary residence. 

New York

In stark contrast with the overwhelming majority of other states, New York has not adopted its own version of UETA.  Rather, New York’s statute addressing the validity of electronic signatures is called the Electronic Signatures and Records Act (ERSA).  N.Y. State Tech L § 301 (2014).  ERSA does not apply to documents providing for the disposition of an individual’s person or property upon death (such as wills, trusts, orders not to resuscitate) with exceptions, negotiable instruments and other instruments wherein possession of the instrument is deemed to confer title, or any other document that the electronic facilitator has specifically excepted from ERSA’s regulations.

Pennsylvania

Pennsylvania was one of the first states in the country to adopt a modified version of the UETA in 1999, permitting electronic signatures in most circumstances.  Under Pennsylvania’s law, electronic signatures are permissible except for transactions invoking laws governing wills, codicils or testamentary trusts or the Pennsylvania Commercial Code, with exceptions.

Florida

Florida’s electronic signature statute was adopted in 2000.  Florida’s iteration of the law states that, unless otherwise provided by law, an electronic signature may be used to sign a writing and shall have the same force and effect as a written signature.  This statute prohibited virtual signatures for documents governed by laws concerning the execution of wills, codicils or testamentary trusts, the UCC (with exceptions), contracts governed by the Uniform Computer Information Transactions Act, and the rules of judicial procedure.  Interestingly, as of January 1, 2020, Florida’s Electronic Wills Act went into effect, which permits, as the name indicates, wills to be signed and notarized virtually.  By enacting this law, Florida is on the cutting edge of this area of law, being only one of a few states to loosen the traditional requirement that wills be signed in person.

Before you virtually sign any document, make sure you are in compliance with your state’s electronic signature rules.  If you or your business need legal advice, please consider contacting corporate attorney Kelly Barry, or any member of Flaster Greenberg’s Business & Corporate Department.

Senate Passes $1.9 Trillion COVID-19 Relief Bill: What You Need To Know

The Senate passed President Biden’s $1.9 trillion COVID-19 relief package late Friday night.  While the bill must go back to the House of Representatives for reconciliation with the bill they passed in late February, it is a major step forward in getting financial relief to those in need.

Here’s what you need to know about the COVID-19 Relief Bill:

  • It extended the $300 weekly unemployment benefit through September 6th, thereby avoiding the deadline of mid-March for that benefit established by the December 2020 stimulus bill.
  • It promises $1,400 in stimulus money to a narrower selection of individuals than had been eligible for prior stimulus checks.  Individuals who earn more than $80,000 and married couples earning more than $160,000 combined are excluded. 
  • The $15 minimum wage provision that was a highlight of the House bill did not make it into the Senate’s version.
  • It allows an individual’s first $10,200 earned through unemployment to avoid taxation.  This applies to those who made less than $150,000 in adjusted gross income in 2020.  If you earned more than $10,200 and have already filed your 2020 tax returns you may consider amending your return to reflect that information.  Talk to a tax professional to see if such an amendment would change your tax liability.

The Senate bill included many other provisions, including a change to the child tax credit, providing further relief to state and local governments, and funding for COVID-19 testing, vaccinations, and contact tracing.  We will have to wait for the reconciled bill to see if any of these provisions change, but it is notable that the bill was passed and is heading towards reconciliation. Stay tuned.

Questions? Let Kelly know.

Kelly Barry is a member of the firm’s Business and Corporate Department and Taxation Practice Group assisting clients in a wide range of corporate matters, including those involving transactional law, tax, and trusts and estates.  She can be reached at kelly.barry@flastergreenberg.com or 856.382.3305.

Cybersecurity & Data Privacy Litigation Trends – February 2021

Spotlight on Recent Decisions 2021

The Delaware Superior Court recently dismissed a healthcare data breach lawsuit against Brandywine Urology Consultants (“Brandywine”) because it ruled that the victims of the breach failed to provide evidence of injuries or losses caused by a 2020 security incident and, therefore, lacked standing to sue. The suit, Abernathy, et al. v. Brandywine Urology Consultants, P.A., C.A. No. N20C-05-057 MMJ CCLD, resulted from a ransomware attack that was discovered by Brandywine in January 2020, and which was reportedly live on the network for two days before it was detected and isolated by the IT team. Interestingly, during the attack, cyberthieves accessed and encrypted records that included patient names, addresses, Social Security numbers, medical file numbers, claim data, and other financial and personal data but at no time did the cyberthieves attempt to extract a ransom. According to the Delaware Superior Court’s January 21, 2021 Opinion, Brandywine notified all of its patients of the attack via breach notification letters. 

In May 2020, the breach victims filed suit against Brandywine, alleging negligence, invasion of privacy, breach of express contract, breach of implied contract, negligence per se, breach of fiduciary duty, noncompliance with the Delaware Computer Security Breach Act, and violation of the Delaware Consumer Fraud Act. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to sue—essentially that victims suffered no concrete, particularized, and actual or imminent injury-in-fact. In order to demonstrate “injury-in-fact” the victims alleged imminent risk of future harm, a loss of privacy, anxiety, failure to receive the benefit of the bargain, a loss of value to the property in personally identifying information, and disruption in medical care. The lawsuit sought mitigation expenses caused by the breach. In July 2020, Brandywine filed a motion to dismiss arguing that the plaintiffs lacked standing to bring the case to federal court—essentially that plaintiffs suffered no concrete, particularized, and actual or imminent injury-in-fact. 

In its January 21, 2021 Opinion, the Delaware Superior Court stated that in “data breach cases [in Delaware], [p]laintiffs must provide at least some plausible specific allegations of actual or likely misuse of data to satisfy the standing requirement and avoid dismissal under [Superior Court Civil] rule 12(b)(1).” The court also noted that Delaware courts have not yet addressed the question of whether the imminent risk of future harm from a data breach constitutes an injury-in-fact sufficient to confer standing. Brandywine argued that it did not. 

The court found that Brandywine’s breach notification specified that the breach was only a possible compromise of personal and financial information during the ransomware attack. It did not concede that it was a concrete and imminent threat. The court also determined that Brandywine appeared to act quickly in response to the breach and took the appropriate steps to investigate what had transpired. Ultimately, the court decided that Brandywine should not be punished for having notified individuals about a possible compromise of their data. In fact, the court expressed hesitancy about making any ruling that would chill efforts to notify patients or clients of security breaches out of an abundance of caution. The court stated that the mere fact that the attack occurred, without more, is insufficient to confer standing on plaintiffs. The court also found that mitigation costs, including credit monitoring and placing freezes and alerts with credit reporting agencies, do not create an injury sufficient to confer standing on plaintiffs who allege speculative harms resulting from a data breach. 

In a similar case in the Middle District of Pennsylvania, cited in the Delaware Superior Court’s  Opinion, the court also found that “[p]laintiffs’ alleged harm—that they are now at an increased risk of identity theft—does not suffice to allege an imminent injury.” 

Though the courts remain fragmented on the issue of standing in data breach cases, the Delaware Superior Court’s opinion lays the groundwork for what may become the norm: a heightened pleading requirement for Article III standing in such cases.  

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

The Pandemic’s Impact on South Jersey’s Economy: An Insider’s View​

Pandemic……and record DECLINE IN BANKRUPTCY filings.  Yes, as the title of an article in the Wall Street Journal in January read about 2020 “Commercial Chapter 11 Filings Rose 29%, While Personal Bankruptcies Dived.”  We debt relief/restructure practitioners have been following these numbers since the beginning of the Pandemic. 

From the end of March 2020 on, many were expecting a flood, better-yet a monsoon of bankruptcy filings, but the flood never came. Instead, we have seen the lowest number of filings in 35 years! What is going on?  Well, the short answer is that the stimulus packages worked at some level in keeping people employed and many business muddling along! Also, the closing of the courts, delays in foreclosures, almost automatic moratoria for mortgagors, abatements of rent and hold on evictions many posit have slowed the process. So, what is in store for 2021? I tend to lean, with hope, that with the funds coming into the economy through additional PPP funds, extensions of unemployment, extra dollars for individuals and business, perhaps business will reopen, begin getting all those on unemployment back to work and truly bring everyone into the economy without businesses and individuals being compelled by their circumstances to file bankruptcy.  Additionally, the federal government will need to do everything right to ensure that inflation does not “kick in.”  However, I fear that we may now be seeing the beginning of what will eventually be a wave of bankruptcy filings, not necessarily a title wave, but a wave nonetheless. I can just tell you this anecdotally.  As a bankruptcy trustee, I am assigned 45-50 cases approximately once a month to handle. Those numbers went way down during the last eight months.  My January hearings were again up to those numbers with many articulating the COVID-19 pandemic as the cause.  Earlier this month, the Atlantic City Press reported “the Atlantic City-Hammonton metro area, which basically encompasses all of Atlantic County, has been in the top three metro areas in the nation for unemployment rates and increases in unemployment during the pandemic. The other two topping that list were other big tourism and/or gaming sites: The greater Las Vegas area and Kahului-Wiluku-Lahaina in Hawaii.”​ From a business perspective, we have been working very hard to make deals with landlords or for landlords and many other creditors that are either in trouble or causing trouble. However, some of those attempts are blowing up as certain industries are not even able to pay their bills at reduced amounts and creditors are unwilling to take further cuts as their obligations to their own creditors are just too great. 

Stay tuned. I will be putting out a post once a month or perhaps more often, to keep you informed on current filings and the beginning of a uptick that we most certainly think will occur.

Questions? Let Doug know.

Douglas S. Stanger is a shareholder at Flaster Greenberg PC concentrating his practice in bankruptcy, corporate and real estate law. He has served on the United States Department of Justice Panel of Bankruptcy Trustees for 25 years and is an approved mediator for the Bankruptcy Court in the states of New Jersey, Pennsylvania and Delaware. Most recently, Doug was appointed by the U.S. Department of Justice as one of only ten subchapter V trustees in the State of New Jersey.

Potential Taxation Without Representation: The Implications of State Taxation on Teleworking

Beginning in March 2020, millions of Americans were forced to work from home as a result of the COVID-19 pandemic.  While the absence of a commute and the option of wearing sweatpants rather than slacks during meetings were initially welcome changes to the workday, it did not seem likely that we would still be “Zooming” to work from our kitchen tables in 2021. With the pandemic still surging, many Americans have not returned to the office and will have to reckon with possible tax implications stemming from their forced exile.  

Physically commuting from home in one state to work in another, such as from New Jersey to Philadelphia or New York City, is not new. Likewise, the tax implications for employees who commute are not surprising. Generally, the employee is taxed in both her home state (residence-based tax) and the state where she works through what is often referred to as a commuter tax (source-based tax), with the home state giving a credit or other accommodation to mitigate the duplicate tax cost.

Telecommuting, however, is not commuting. Employees who telecommute work from their home states.  Thus, it would be reasonable for those employees to expect to only be taxed in their home state because they’re not physically crossing state lines, right? Not so fast! If Pennsylvania, New York or Delaware are involved, both employees and employers might find surprising tax results from telecommuting, even when they are simply complying with mandatory work–from-home orders.  For employees of employers in these states this means that  dutifully working from home across state lines in accordance with the law, they may still be subject to tax in a state they have not set foot in for nearly a year as if they were physically commuting. In turn, this may create an unintended connection between the employer and the state where the employee lives, thereby subjecting the employer to taxation there. This conundrum also underscores the internecine struggle between the states over tax dollars derived from wages earned while telecommuting.

Employees: While most employees in the country are not currently impacted by this kind of law, a problem arises for employees of employers located in Pennsylvania, Delaware and New York because they have enacted the “convenience of the employer” rules. If an employee works remotely because her employer requires it, perhaps because that is where a customer is located, the employer’s state would not tax the employee on the income earned from that work. However, if the employee works outside of the employer’s state for any other reason, the employer’s state can tax that employee’s income regardless of where it was actually earned. The convenience of the employer rule in the current environment begs this question: is a mandatory work-from-home order a requirement or a convenience?  This is a question that has yet to be answered. Some states, such as New Jersey, have offered credits for its residents who are adversely impacted by this rule for the length of the pandemic.  

Employers: It is uncontested that states and municipalities can impose income taxes on businesses that have a physical location in the state or have employees who work in the state. These connections create tax nexus. The question that comes up when an employer has employees working from home in another state is whether telecommuting across state borders alone creates tax nexus to a state to which they were not otherwise connected. If nexus is created for the employer with the employee’s home state, the employer is subject to that state’s taxes. However, the universal nature of the COVID-19 pandemic has motivated some states to address this issue, at least in the short-term. New Jersey’s Division of Taxation has stated that nexus for corporate tax and sales and use tax purposes will not be imposed on out-of-state employers during the pandemic through telecommuting employees. Likewise, Pennsylvania’s Department of Revenue indicated it will not impose Corporate Net Income Tax nexus or Sales and Use Tax nexus on non-Pennsylvania businesses based solely on employees working from home in the state. The state of New York, on the other hand, has declined to issue guidance on this topic, meaning that non-New York employers of New York residents may find themselves unexpectedly exposed to New York State (and potentially City) tax.

WHAT’S COMING:

States without the convenience of the employer rule might become envious as out-of-state employees continue working from home even after the conclusion of the pandemic and the tax dollars associated with their wages remain home with them. Perhaps a harbinger of things to come, one state, Massachusetts, reacted to this tax conundrum created by the pandemic by enacting a temporary “convenience of the employer” policy. This new rule states that employees who work for Massachusetts-based employers and are working remotely outside the state because of a work-from-home order in a neighboring state are still required to pay income tax in Massachusetts. This arrangement is slated to remain in place until ninety days after the governor of Massachusetts ends the state of the emergency created by the pandemic.

Although this measure is temporary, Massachusetts has experienced backlash from other states and numerous tax organizations. In October 2020, New Hampshire petitioned the United States Supreme Court for relief, requesting that it strike down this law as an unconstitutional tax on its citizens who telecommute.  The lawsuit also raises questions as to whether such convenience of the employer rules violate the Dormant Commerce Clause, which bars states from unduly burdening interstate commerce, even in the absence of federal legislation regulating the activity.  This lawsuit has attracted a lot of attention in the tax community, with over a dozen amicus briefs filed in the matter, including those from Connecticut, Hawaii, Iowa, and New Jersey, as well as public policy groups such as the National Taxpayer Union, the Tax Foundation, the Cato Institute, and Americans for Tax Reform. The states joining New Hampshire did so because many of their citizens are directly impacted by “convenience of the employer” rules subjecting them to taxation in a state to which they have no physical connection and thereby draining tax revenue from the residence state.  The Court has not determined whether it will hear the case, but the controversy is generating interest as other states might follow suit.

With many employees likely to continue teleworking even after COVID-19 vaccinations permit safe return to the office, it is critical to fully appreciate the impact these decisions may have on where tax is owed by telecommuters and their employers.  

Kelly Barry is a member of the firm’s Business and Corporate Department and Taxation Practice Group assisting clients in a wide range of corporate matters, including those involving transactional law, tax, and trusts and estates.  She can be reached at kelly.barry@flastergreenberg.com or 856.382.3305.

David S. Neufeld has practiced law for more than 35 years, advising individuals and businesses around the globe on sophisticated federal income and estate tax planning, state tax residency planning and audits, asset protection, and insurance and investment planning. In addition, he helps business clients engaged in both inbound and outbound transactions (most notably involving China and India) as well as the individual tax issues that arise from cross-border business transactions. He can be reached at david.neufeld@flastergreenberg.com or 856.382.2257.

How to Make Filing Your 2020 Returns Less Taxing

How to Make Filing Your 2020 Returns Less Taxing

Unquestionably, 2020 was a year full of unforeseen challenges. As much as we may want to put last year completely behind us, we need to file our 2020 tax returns before completely letting go. Although we speak about the challenges and frustrations of the past twelve months broadly, a few specific events will present unusual tax considerations for some Americans.

Taxation of Unemployment Compensation Income

More than 25 million Americans became unemployed during the pandemic and relied on unemployment benefits. Unemployment benefits are includable in gross income and, therefore, are subject to tax. This may come as a surprise, especially to the thousands of Americans who applied for unemployment benefits for the first time this year. Withholding tax from one’s unemployment income is voluntary through the completion of a form referred to as a W-4V and submission to the agency paying the benefits. If their withholding amount is too low to cover their tax liability or if they did not authorize withholding, taxpayers can make quarterly estimated tax payments. Given the economic instability and uncertainty we are experiencing, many taxpayers relying on unemployment benefits are unlikely to have the financial wherewithal to withhold any portion of that income. Even worse, they may have no means available to pay the tax when due. If they were unaware of the tax impact when receiving unemployment benefits, they should be prepared for the unexpected tax now.

Home Offices

On the flip side of the employment coin, another tax quirk created by the COVID-19 pandemic comes in the form of working from home. Many taxpayers spent time working from home last year (and some of us still are!). Had this pandemic occurred before the 2017 enactment of the Tax Cuts and Jobs Act (“TCJA”), millions of Americans would be eligible for a deduction for expenses incurred creating and operating a home office. However, the TCJA limited deductions for home office expenses to those who are self-employed and whose home office areas are a “room or separately identifiable space” used “regularly and exclusively” for work. Thus those of us who have properly designated home offices as a result of the pandemic that might otherwise qualify, but receive W-2s as employees are ineligible for such deductions.

CARES Act

Similarly, many Americans received government aid in the form of stimulus checks through the CARES Act. These payments are tax-free and are not required to be included in gross income on one’s federal tax return. Rather, they are treated as advances of 2020 tax credits and must be reflected that way on our 2020 tax returns. Some tax professionals anticipate many taxpayers will have discarded or misplaced documentation related to those distributions, which, in turn, increases the likelihood that returns will be inaccurate, which may delay refunds. Additionally, some tax professionals have recommended that the IRS setting up an online portal for taxpayers to look up the exact amounts they received in government aid under the CARES Act to ensure their 1040s are accurate, but no such portal has been created as of the writing of this post. Thus, it is important for taxpayers to locate and organize their documentation relating to any stimulus check payments.

PPP Income

On top of these challenges presented to individuals filing their 2021 tax returns, some businesses face the uncertainty of whether business expenses paid for with loans received from the Paycheck Protection Program (PPP) will be wholly or partially deductible on their 2020 returns.  Under the PPP, certain small businesses whose operations were directly impacted by the COVID-19 pandemic were able to secure loans to fund specified expenses, including eligible payroll costs, payments on business mortgage interest payments, rent and utilities during a period of 8 or 24 weeks after disbursement. Borrowers may apply for forgiveness of these loans within 10 months of their issuance, to the extent they are used for these purposes in the year the expenses are incurred. It was unclear under the original CARES Act whether the expenses paid with the forgiven loan proceeds would be deductible. In December 2020, Congress passed the Consolidated Appropriations Act, which finally clarified that business expenses paid with forgiven PPP loans are, in fact, tax deductible. This act supersedes prior guidance from the IRS, issued as recently as November 2020. While this came as a welcomed holiday gift to many, there may be S corporation shareholders and partners in partnerships with a lump of coal thrown in; the benefit may be somewhat less timely than anticipated given the quirks of pass-through entity taxation, effectively deferring the tax benefit another year. 


Carefulness has always been key when completing a tax return, but even more so when filing returns for tax year 2020. Any taxpayer who received a stimulus check should start looking for that piece of paper now — tax time will be here before you know it! As the COVID-19 pandemic persists while we await widespread distribution of the vaccine, the IRS has emphasized the need for taxpayers to complete their tax returns from the safety of home, and provides a number of services to assist taxpayers in doing so.  If you encounter any legal issues regarding your taxes, Flaster Greenberg can help; give us a call.

For more information on any of the information contained in this post, contact Kelly Barry or any member of Flaster Greenberg’s Taxation Practice Group

Kelly Barry is a member of the firm’s Business and Corporate Department and Taxation Practice Group assisting clients in a wide range of corporate matters, including those involving transactional law, tax, and trusts and estates.  She can be reached at kelly.barry@flastergreenberg.com or 856.382.3305.

Cybersecurity & Data Privacy Updates, Part II

From California to New York, data privacy laws and enforcement actions are ramping up. Check out some highlights below.

1. New York State Department of Financial Services launched its first enforcement action in July 2020.

As U.S. companies focus on CCPA enforcement, they should not ignore other state laws and accompanying regulations. The New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (“DFS’s Cybersecurity Regulation”) first took effect on March 1, 2017.

Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data.  In an effort to combat such exploitation, this regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a vigorous way. Senior management are encouraged to take this issue seriously. They must ensure that someone is responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

On July 22, 2020, the New York Department of Financial Services announced cybersecurity charges against First American Title Insurance Company for exposing millions of documents with consumers’ nonpublic personal information over the course of several years, including bank account numbers, mortgage and tax records, Social Security Numbers, wire transaction receipts, and drivers’ license images.

This marks the first cybersecurity enforcement action filed by the Department. The hearing will take place at the office of the New York State Department of Financial Services beginning on October 26, 2020.

2. What is The California Privacy Rights Act of 2020—“CCPA 2.0?”

If you’re thinking, “Wait! Didn’t the California Consumer Privacy Act (“CCPA”) just go into effect?” You’re right. The CCPA took effect on January 1 of this year, and enforcement actions began on July 1. Already, a privacy advocacy group, California for Consumer Privacy, collected 900,000 signatures to place the California Privacy Rights Act (“CPRA”) on the November 2020 ballot. According to several news sources, current polling suggests that the bill will pass.

The CPRA seeks to, among other things, establish the California Privacy Protection Agency (“CPPA”), a new privacy enforcement authority, similar to the Data Protection Authority put in place in the European Union by the General Data Protection Regulation (“GDPR”). This Agency will be empowered to fine transgressors, hold hearings about privacy violations, and clarify privacy guidelines.

In addition, the law would establish a new category of sensitive personal information, including Social Security numbers, precise geolocation data, biometric or health information, and more. It would also give consumers greater power to restrict the use of such data. The law would also add email addresses and passwords to the list of items covered by the “negligent data breach” section to help curb identity theft.

3. The Connecticut Insurance Data Security Law goes into effect on October 1, 2020.

The Act establishes standards applicable to licensees of the Connecticut Insurance Department for data security, the investigation of a cybersecurity event, and notification to the Department of such event. In preparation for this law to take effect, Connecticut’s Insurance Department issued a Bulletin on July 20, 2020 to all licensees of the Department.

Licensed insurance companies, and any other companies otherwise authorized to operate pursuant to the insurance laws of Connecticut, should be aware of and follow the guidelines laid out in the Bulletin.

The attorneys at Flaster Greenberg are following developments related to the COVID-19 Pandemic and formed a response team and to work with businesses to keep them up-to-date on developments that impact their business. If you have any questions on the information contained in this blog post, please feel free to reach out to Donna UrbanKrishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups. 

COVID-19 RESOURCE PAGE

To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.

Cybersecurity & Data Privacy Updates

cybersecurity and data privacy updates

There is a lot going on in the world right now—and the world of data privacy is no exception.

Here is a snapshot of what’s on our radar:

1. Senators Jeff Merkley and Bernie Sanders introduced the National Biometric Information Privacy Act of 2020 on Tuesday, August 4, 2020.

This legislation would, among other things, prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints, and fingerprints—without consumers’ and employees’ consent, or profiting from this data. This introduction comes amid growing concerns over the prevalence of biometric data collection among private companies, including the use of facial recognition technology.

This legislation limits the ability of companies to collect, buy, sell, lease, trade, or retain individuals’ biometric information without specific written consent, and requires private companies to disclose to any inquiring individual the information the company has collected about that individual. Importantly, this bill would allow individuals and State Attorneys General to bring lawsuits against companies that fail to comply.

2. Several United States Senators have urged Congress to include the privacy protections contained in the Public Health Emergency Act into any new stimulus package.

On July 28, 2020, several U.S. senators drafted a letter addressed to senate leaders urging them to include the privacy protections contained in the Public Health Emergency Privacy Act in any forthcoming stimulus package.

The senators emphasized the need for commonsense privacy protections for COVID data because “public trust in COVID screening tools will be essential to ensuring meaningful participation in such efforts.” Research shows that many Americans are hesitant to adopt COVID screening and tracing apps due to privacy concerns; therefore, the lack of health privacy protections could significantly undermine efforts to contain this virus and safely reopen—“particularly with many screening tools requiring a critical mass in order to provide meaningful benefits.”

As the drafters point out, “health data is among the most sensitive data imaginable and even before this health emergency, there has been increasing bipartisan concern with gaps in our nation’s privacy laws.” The drafters believe these common-sense protections are critical in quelling the spread of COVID-19 while at the same time protecting sensitive health and geolocation information.

We will continue to track this legislation and provide updates as they become available.

3. Schrems II invalidated the EU-US Privacy Shield.

On July 16, 2020, the Court of Justice of the European Union issued a decision in Data Protection Commission v. Facebook Ireland, Schrems. The decision, known as Schrems II, invalidated the European Commission’s adequacy decision for the European Union-United States (EU-US) Privacy Shield framework, which is critical for more than 5,000 United States based companies that conduct trans-Atlantic trade in compliance with EU data protection rules.

The Court found the European Commission’s adequacy determination for the Privacy Shield invalid for two primary reasons: (i) the US surveillance programs, which the commission addressed in its previously-issued Privacy Shield decision, are not limited to what is strictly necessary and proportional as required by EU law; and (ii) with regard to US surveillance, EU data subjects lack actionable judicial redress and, therefore, do not have a right to an effective remedy in the US, as required by the EU Charter.

The Schrems II decision requires both data importers and data exporters to be reasonably certain that they can comply with their obligations in the Standard Contractual Clauses. Where they cannot comply, importers and exporters should likely stop transferring data, forcing some companies into data localization. Schrems II addresses a long-running series of issues regarding the appropriate role of surveillance in our society and its inevitable clash with privacy.

This decision also influences data flows across nations. Some data privacy professionals believe that we are moving away from global data flows and moving towards more fragmented data flows. This shift could have a particularly significant impact on e-commerce. For more, see the Court of Justice of the European Union’s Press Release on this decision.

The attorneys at Flaster Greenberg are following developments related to the COVID-19 Pandemic and formed a response team and to work with businesses to keep them up-to-date on developments that impact their business. If you have any questions on the information contained in this blog post, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups. 

COVID-19 RESOURCE PAGE

To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource page on our website. Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business.

 

More Tips On Protecting Your Virtual Meetings to Avoid a Cybersecurity Breach: An Update

top view photo of girl watching through imac

Photo by Julia M Cameron on Pexels.com

At this point, many of us are well into our fourth or fifth week of quarantine due to the outbreak of COVID-19. Even for those of us who are fortunate enough to be able to work remotely from our homes, this comes with certain challenges, including potential security issues with virtual conferencing. In our first installment about virtual meetings, and their unintended vulnerabilities, we provided some guidance on how you and your staff might implement certain strategies to keep your virtual conferences as safe as possible from hackers and trolls. In this new installment, we will provide further guidance on staying safe amidst emerging privacy and security concerns associated with virtual meeting platforms.

Zoom Announces Updates to its Data Privacy and Security Measures

On April 1, 2020, the Chief Operating Officer of Zoom, Eric Yuan, announced certain changes that Zoom is making to enhance its virtual meeting spaces. On April 14th, the Chief Product Officer of Zoom, Oded Gal, provided clarification on those enhancements to those of us who are using Zoom during quarantine.

  • Have a plan and be prepared for interference in your virtual meetings. Zoom has encouraged its users to have a plan in place for their virtual meetings and to be prepared should any unwanted interference arise. This includes ensuring that the application has been updated to include the latest security features, co-hosting meetings whenever possible, and utilizing preexisting and new security tools built into the application. To check for updates to the app, click on the main menu, then click on “Check for Updates,” and then “Begin Upgrade” if any new updates are available. We recommend doing this every week or so to ensure that you and your staff are up to speed on all available cybersecurity protections.
  • Co-host and record your virtual meetings whenever possible. A meeting creator can choose to co-host a meeting while creating the meeting invitation or in the actual Zoom meeting itself. A co-host can monitor the virtual waiting room or assist with any disruptions. Furthermore, record your Zoom meetings whenever possible because recording meetings creates a forensic trail of the meetings, as well as any bad actors that interfere with them, as soon as the meetings begin. The more data that virtual meeting platforms are able to collect about bad actors, the better able they are to stop the threat of further disruption.
  • Zoom has increased access to its security features. Zoom has made its pre-existing security features easier to find. A “Security” button has been added to the bottom banner of virtual meetings and is now easily accessible to meeting hosts. By clicking on this new security feature, meeting hosts are able to enable a waiting room or lock the meeting. Moreover, a meeting host can also remove a participant from a virtual meeting. Once that participant has been removed, he or she cannot reenter the meeting, even if using a different username. This is because as a part of Zoom’s new security rollouts, Zoom has started to collect IP addresses, among other data, to be able to better respond to security threats. While removing a participant from a meeting will only remove the participant from that particular meeting, you have other tools available to permanently block that user.

For example, right now Zoom recommends recording your meetings whenever practicable to ensure a forensic trail is created, as stated above. In addition, Zoom recommends taking a screenshot whenever a bad actor enters your virtual meeting. Then, you can report this intruder on Zoom’s website. And starting this coming weekend, Zoom will be releasing a new security feature built into the app, which will allow users to send a report to Zoom right from the security button should any unwanted interference arise.

Other Noteworthy Developments

Zoom announced that as of April 1, 2020, it would freeze all future product development except for data privacy and security updates for the following 90 days. Moreover, beginning April 18, 2020, every paid Zoom customer will be able to customize which data center regions their account can use for its real-time meeting traffic. By default, however, there will be no connection to any data centers in China beginning April 18, 2020 for all users. Additionally, users with an “.edu” registered email address are automatically given the highest level of security in their meetings, and this will continue. Zoom has begun to address user demands for a “kid-friendly” interface, but it has not yet launched any such interface.

Other virtual meeting platforms, such as GoToMeeting, have also enacted enhanced security protections in their respective applications. For example, GoToMeeting gathers cyber threat intel through partnerships including external intelligence communities, personal and professional sharing groups, and its own internal research to collect Indicators of Compromise or IoC data. IoC can include forensic data such as IP addresses, domains, hashes, and pulls them into its threat intelligence platform to reduce the risk of cyber threats.

Still though, platforms like Zoom and GoToMeeting urge users to utilize additional security measures as outlined in our previous blog post, and above, to provide the greatest level of privacy and data security for your virtual meetings.

Updates on Regulatory Guidance

On April 8th, Senator Edward Markey, whose priorities include telecommunications, technology, and privacy policy, urged the Federal Trade Commission (FTC) to publish industry cybersecurity guidelines “for companies that provide online conferencing services, as well as best practices for users that will help protect online safety and privacy during this pandemic and beyond.”

In Senator Markey’s letter, he urges that the guidance cover, at a minimum, the following topics:

  • Implementing secure authentication and other safeguards against unauthorized access;
  • Enacting limits on data collection and recording;
  • Employing encryption and other security protocols for securing data; and
  • Providing clear and conspicuous privacy policies for users.

Senator Markey also requests that the FTC develop best practices for online conferencing users, so that they can make informed, safe decisions when choosing and using these platforms. He requests that these best practices cover at least the following topics:

  • Identifying and preventing cyber threats such as phishing and malware;
  • Sharing links to online meetings without compromising security;
  • Restricting access to meetings via software settings; and
  • Recognizing that different versions of a company’s service may provide varying levels of privacy protection.

To date, the FTC has not published new guidelines.

Remember to have a plan and be prepared. Stay safe, everyone!

If you have any questions, please feel free to reach out to Donna UrbanKrishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.  

Donna T. Urban is a member of Flaster Greenberg’s Commercial Litigation and Environmental Law Departments concentrating her practice in telecommunications law, environmental regulation and litigation, and privacy and data security. She is a seasoned litigator, and for more than 20 years has successfully represented business clients in contract disputes, regulatory matters, and complex negotiations. She can be reached at donna.urban@flastergreenberg.com or 856.661.2285.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource Page on our website.  Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business. 

  

Tips On Protecting Your Virtual Meetings To Avoid A Cyber Security Breach

Computer Hacker

Virtual Meetings, and their Unintended Vulnerabilities

Advanced technology and the availability of online video and teleconferencing software has certainly helped ease the transition to working remotely for many businesses, schools, health care providers, and even the Courts. However, these virtual meeting platforms, while increasingly popular and essential especially during the COVID-19 pandemic, are not always completely secure.

Over the past few days, you may have seen the term “Zoom-Bombing” circulating around the news. This term refers to nefarious actors, or trolls, on the web hijacking Zoom and other virtual meetings to display a variety of disruptive, and often disturbing, behavior. This computer hacking creates serious privacy concerns as it exposes confidential and sensitive material, such as medical information, financial data, trade secrets, and other proprietary information, to these intruders and other third parties.

Protect Your Meetings from Uninvited Guests

We suggest taking the following steps to help keep your virtual meetings closed to intruders:

  • Create a random or randomly-generated meeting number for each meeting. Zoom, and other virtual meeting platforms such as GoToMeeting or Skype for Business, allow for a standing meeting number but reports have indicated that such standing meeting numbers are being sold on the dark web. In at least one instance, stolen account information such as email addresses, passwords, meeting identifications, type of account, host keys, and names were actively being sold or posted to the dark web. In other instances, sensitive information from virtual meetings was discoverable through a search engine on the open web. Even a United States healthcare provider, seven educational institutions, and one small business were targeted in such virtual meeting cyberattacks.
  • Ensure that each meeting is password-protected. For example, Zoom can automatically create a password and does with each new meeting. In the alternative, when creating the invitation, the meeting creator can assign a password in the invitation. The password will then be included in the meeting invitation that is sent out to the attendees.
  • Lock virtual meetings once they’re in session. Some virtual platforms allow for meeting creators to lock their meetings once they’re in session. To prevent unexpected attendees from joining a current session, lock your meeting or enable a virtual waiting room. You’ll be notified when an attendee attempts to join and can easily connect all waiting attendees to the meeting by unlocking.

These precautions should help keep your virtual meetings free from any unwanted “Zoom-Bombers.”

Further Guidance

To further address these emerging privacy concerns, on April 8th, Senator Edward Markey, whose priorities include telecommunications, technology, and privacy policy, urged the Federal Trade Commission to publish industry cybersecurity guidelines for online conference providers for protecting consumers’ privacy.

If you have any questions, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.  

Donna T. Urban is a member of Flaster Greenberg’s Commercial Litigation and Environmental Law Departments concentrating her practice in telecommunications law, environmental regulation and litigation, and privacy and data security. She is a seasoned litigator, and for more than 20 years has successfully represented business clients in contract disputes, regulatory matters, and complex negotiations. She can be reached at donna.urban@flastergreenberg.com or 856.661.2285.

Krishna A. Jani is a member of Flaster Greenberg’s Litigation Department focusing her practice on complex commercial litigation. She is also a member of the firm’s cybersecurity and data privacy law practice groups. She can be reached at 215.279.9907 or krishna.jani@flastergreenberg.com.

To serve as a central repository of information and contributions from Flaster Greenberg attorneys on legal developments during the COVID-19 crisis, we have launched a COVID-19 Resource Page on our website.  Feel free to check back frequently for Flaster Greenberg’s ongoing analyses of important legal updates that may affect you or your business. 

 

 

%d bloggers like this: