On April 18, 2024, Virginia governor Youngkin signed into law a statute governing Name Image and Likeness (NIL) payments to student-athletes, the first of its kind in the U.S.  House Bill 1505 goes into effect on July 1 and bypasses certain NCAA rules on payment to athletes enrolled in Virginia colleges and universities, setting a precedent other states have already begun to follow.   The statute allows state colleges and universities to create and negotiate NIL deals without NCAA input or restrictions. 

July 2021 marked a watershed even for student-athletes, as the NCAA rescinded rules restricting athletes from earning money from contracts with businesses that compensate them for endorsements, personal appearances, and commercials.  On April 17, the NCAA passed internal legislation allowing its member schools to be more actively involved in securing sponsorship and endorsement deals for athletes, including facilitating opportunities between third party businesses and athletes.  The interaction between the NCAA’s rules and state law such as the Virginia statute remains to be seen, though there appears to be some overlap.  It is possible statutes like the Virginia bill and other states’ enactments pressured the NCAA to liberalize their own rules.

The new Virginia statute opens a pathway for donors to work directly with schools on paying athletes.  Universities are required to develop and submit to the institution’s governing body institutional policies and procedures governing student-athletes’ use of NIL for compensation, with enforcement mechanisms.  The University may also use its own assets to incentivize NIL deals for their athletes.

Finally, the statute prohibits the use of a student-athlete’s NIL in connection with alcoholic beverages, adult entertainment, cannabis or controlled substances, performance enhancing substances, drug paraphernalia, tobacco, weapons or casinos and sports betting.  It also permits universities from restricting the use of the student-athlete’s NIL on “school time” – when engaged in academic, sports team, or athletic department activities.  Student-athletes may not use any institution’s facilities, apparel, uniforms, or any intellectual property in the NIL-associated activities, and are required to disclose draft agreements to the university prior to executing the agreement

The Virginia statute provides an example for other states to follow, and several have bills pending in their legislature.  Each state enacting a different statute makes it slightly more likely Congress will eventually supply a uniform federal standard, though the athletic community is likely years from such a national legislative leveling. Crenshaw, Ware & Martin enjoys the advantage of having attorneys with bar memberships in Virginia, North Carolina and Maryland.  Our firm can assist student-athletes with the structuring of NIL deals which maximize advantage to the student-athlete and ensure an even negotiation playing field.  Please reach out to Managing Partner Darius Davenport at DDavenport@cwm-law.com, Attorney Butch Bracknell at RBracknell@cwm-law.com, or any partner or attorney in the firm for assistance in navigating NIL territory.  Contract Crenshaw Ware & Martin at 757.623.3000.

The post Virginia Changes The Game On NIL appeared first on CWM Law.

Reporting Entities

The entities required to report are very comprehensive.  Domestic reporting companies include corporations, LLPs, or any other similar entity created by the filing of a document with a secretary of state or similar office.  Foreign reporting companies are those private entities formed under foreign law that are registered to do business in the United States.

Exemptions, companies not considered reporting companies, include banks, credit unions, SEC-reporting companies, insurance companies and public accounting firms.  Additionally, companies that employ more than 20 employees on a full time basis in the U.S., that filed in the previous year federal income tax returns demonstrating more than $5 million in gross receipts, revenues or sales, and operates with a physical office presence in the U.S.  This exempts all Fortune 500 entities and many publicly traded companies.  The focus for CTA reporting is small business.

Beneficial Owners

A beneficial owner is an individual who directly or indirectly through any contract, arrangement, understanding relationship or otherwise exercises substantial control over the entity or owns or controls at least 25% of the equity interests of the entity.  “Substantial control” is defined as individuals who serve as a senior officer of the reporting company, have appointment or removal authority over the senior officers and board of directors; can direct, determine, or have substantial influence over important decisions within the company, or have any other type of substantial control over the company.  The categories likely includes all CEOs, COOs, CFOs, CMOs, and board members, as well as major equity holders.

The category does not include minor children if the parent or legal guardian is reported, an individual acting as a nominee, intermediary, custodian or agent on behalf of another individual (for example, an incapacitated individual remains the beneficial owner, not his or her custodian), an employee of the reporting company (not a senior officer with little control), an inheritor whose interest is a future interest through inheritance or expectancy, and creditors unless the creditor exercises substantial control or owns or controls at least 2 of the equity of the company.

Content of the Report

Reporting is simple:  it is purely identity based.  The CTA simply mandates a small business ownership registry.  Beneficial owners must report the entity’s full legal name, trading/DBA names, address of the entity, jurisdiction of formation/registration and the federal taxpayer ID number (EIN).  Each beneficial owner must report his or her full legal name, birthday, home address, an identifying number from a driver’s license, passport or similar document, and an image of the same approved document.

Timing, Penalties and Other Considerations

Companies in existence before January 1, 2024 must file initial reports no later than January 1, 2025.  Newly formed companies created after January 1, 2024 must file their initial reports 90 days after receiving notice of their creation or registration.  Companies have 30 days after a change in ownership to include updated information, and also have 30 days to correct inaccurate information after discovery of an error.

Individuals and entities covered by U.S. sanctions have preexisting financial constraints in place.  Even so, the CTA is an additional check on ownership by sanctioned individuals or entities.

Any person who provides false information or fails to comply with reporting requirements is liable for civil penalties of up to $500 per day that the violation continues.  Violators are also subject to criminal penalties of up to 2 years imprisonment and fines of up to $10,000.  Pragmatically, it is likely most enforcement usually will be handled as a civil matter, except for bad faith failures to file accurately or nonreporting designed to evade taxation or advance some other criminal activity, or to undermine a national security interest.  Nonreporting could also have adverse consequences in mergers and acquisitions or during creditworthiness reviews.  Banks, for example, will likely reformat their credit applications to validate reporting compliance.

Many nonprofits are covered, in that every nonprofit organized in the U.S. has a corporate formation on which the nonprofit status is grounded.

Finally, small businesses who are mandated reporting entities can consult FinCEN’s Small Entity Compliance Guide for assistance in filing and reporting. 

Crenshaw, Ware & Martin is ready and able to assist companies and organizations with their compliance obligations, and is pleased to offer your business an advisory session on reporting obligations.  Contact Managing Partner Darius Davenport at DDavenport@cwm-law.com, attorney Butch Bracknell at RBracknell@cwm-law.com, or any of the firm’s attorneys by email, or call the firm at 757-623-3000.

The post Corporate Transparency Act appeared first on CWM Law.

The new rule establishes “economic dependence” as the standard for determining status, and prescribes six equally weighted factors to consider when classifying a worker:

• Opportunity for the worker to attain more profit or loss depending on managerial skill, business acumen, or judgment;
• Investments by the worker and the potential employee –  investments that are capital or entrepreneurial in nature augur toward independent contractor status;
• Degree of permanence of the work relationship – longer term work arrangement, frequency and intermittency, and year round work relationships affect this determination;
• Nature and degree of control – how much direction the worker is given regarding how and when the worker performs work tasks, including scheduling, supervision, and price-setting;
• Extent to which the work performed is an integral part of the potential employer’s business – how important the work is to the overall business’ success;
• Skill and initiative – how much “ownership” does the worker employ with regard to his tasks, and how important are his or her skills to the end product?

A worker may not voluntarily waive employee status – he or she either is or is not an employee for the purposes of classification.  Business owners must alter their labor arrangements to benefit from workers with independent contractor status, rather than negotiating status as a term of the commercial relationship.

The new rule constitutes a totality of the circumstances economic reality test.  No factor or group of factors is more significant than others at the outset, though on analysis of specific facts, certain of the factors may become more weighty or important.

Finally, the IRS “20 factor” test for employee/independent contractor classification are not irrelevant to the USDOL 6 factor analysis.  Rather, the 20 factor test can likely best be binned into the six factor categories to give them meaning.  For example, IRS Factor 6, Continuing Relationship, is relevant to USDOL Factor 3, degree of permanence of the work relationship.  IRS Factor 15, Significant Investment, is germane to considering USDOL Factor 2, Investments.

The new FLSA classification rule does not represent a watershed rule change, but rather an effort by USDOL to provide businesses, advisors, and courts more useful direction on classification, both to give clear guidance to businesses and to help workers protect their own rights to certain entitlements and protections.

The post Final rule under Fair Labor Standards Act on Employee/Independent Contractor Classification Takes Effect appeared first on CWM Law.

Plaza Azteca is a regional multi-state restaurant group with 17 locations in Hampton Roads, from Williamsburg to Suffolk to Chesapeake.  The restaurant group, owned by a Virginia Beach businessman, agreed to pay an $11.4M settlement for back wages and damages from alleged violations of the Fair Labor Standards Act.

Originally passed in 1938 as New Deal labor protection regulation, the federal FLSA sets the nationwide minimum wage, mandates rules for overtime, defines hours worked, prescribes recordkeeping standards, and regulates child labor.  The Department of Labor investigation established the chain paid full time “back of the house” (kitchen, dishwashers, etc.) workers a predetermined amount, but not accounting for minimum wage or overtime.  The Department of Labor also alleged failure to maintain accurate records of hours and wages and created false records to show payment of overtime that did not exist.  The consent decree requires the company to hire an independent monitor to ensure compliance with the settlement agreement’s conditions.

Virginia law also protects workers from wage theft.  Statutes enacted in 2020 protect workers who report wage theft or file civil actions from retaliation and expand the Virginia Department of Labor’s investigative authority.  They also create a private right to sue, whereas previously wage theft claims were purely administrative in nature.  It also allows the recovery of attorney fees, civil penalties and treble damages for knowing violations.  Employers have to take care to ensure managers are accounting for wages and keeping proper records to avoid both federal and state wage liability. 

Finally, the employee/independent contractor in Virginia carries certain distinctions.  Most states adopt the IRS “20 Factor Test” as a succinct summary of the factors that differentiate contractors from employees.  The distinction is important because employers owe more duties to employees than independent contractors.  Treating a person performing services for the business as an independent contractor when the person is properly classifiable as an employee is fraught with legal and reputational risk.

The IRS 20 factors used to evaluate the employee/independent contractor status question are:

• Level of instruction. If the company directs when, where, and how work is done, this control indicates a possible employment relationship.
  
• Amount of training. Requesting workers to undergo company-provided training suggests an employment relationship since the company is directing the methods by which work is accomplished.
  
• Degree of business integration. Workers whose services are integrated into business operations or significantly affect business success are likely to be considered employees.
  
• Extent of personal services. Companies that insist on a particular person performing the work assert a degree of control that suggests an employment relationship. In contrast, independent contractors typically are free to assign work to anyone.
  
• Control of assistants. If a company hires, supervises, and pays a worker’s assistants, this control indicates a possible employment relationship. If the worker retains control over hiring, supervising, and paying helpers, this arrangement suggests an independent contractor relationship.
  
• Continuity of relationship. A continuous relationship between a company and a worker indicates a possible employment relationship. However, an independent  contractor arrangement can involve an ongoing relationship for multiple, sequential projects.
  
• Flexibility of schedule. People whose hours or days of work are dictated by a company are apt to qualify as its employees.
  
• Demands for full-time work. Full-time work gives a company control over most of a person’s time, which supports a finding of an employment relationship.
  
• Need for on-site services. Requiring someone to work on company premises— particularly if the work can be performed elsewhere—indicates a possible employment relationship.
  
• Sequence of work. If a company requires work to be performed in specific order or sequence, this control suggests an employment relationship.
  
• Requirements for reports. If a worker regularly must provide written or oral reports on the status of a project, this arrangement indicates a possible employment relationship.
  
• Method of payment. Hourly, weekly, or monthly pay schedules are characteristic of employment relationships, unless the payments simply are a convenient way of distributing a lump-sum fee. Payment on commission or project completion is more characteristic of independent contractor relationships.
  
• Payment of business or travel expenses. Independent contractors typically bear the cost of travel or business expenses, and most contractors set their fees high enough to cover these costs. Direct reimbursement of travel and other business costs by a company suggests an employment relationship.
  
• Provision of tools and materials. Workers who perform most of their work using company-provided equipment, tools, and materials are more likely to be considered employees. Work largely done using independently obtained supplies or tools supports an independent contractor finding.
  
• Investment in facilities. Independent contractors typically invest in and maintain their own work facilities. In contrast, most employees rely on their employer to provide work facilities.
  
• Realization of profit or loss. Workers who receive predetermined earnings and have little chance to realize significant profit or loss through their work generally are employees.
  
• Work for multiple companies. People who simultaneously provide services for several unrelated companies are likely to qualify as independent contractors.
  
• Availability to public. If a worker regularly makes services available to the general public, this supports an independent contractor determination.
  
• Control over discharge. A company’s unilateral right to discharge a worker suggests an employment relationship. In contrast, a company’s ability to terminate independent contractor relationships generally depends on contract terms.
  
• Right of termination. Most employees unilaterally can terminate their work for a company without liability. Independent contractors cannot terminate services without liability, except as allowed under their contracts.

Improperly classifying a “true employee” as an independent contractor can cause substantial hidden liability for a company, from failure to withhold taxes, to health insurance, to charges of wage theft and FLSA violations.  This can be crushing for a small business with no budget to pay labor fines, so proper classification and expense planning is vital from the outset of the business.  The temptation to cut costs by classifying workers as independent contractors is tempting for small businesses, particularly startups, but the long-term risks can damage a company before it gets its feet under it.  Finally, the reputational risk to an organization cutting corners on wages or benefits through improper classification can be massive in the information age when stories spread via social media, blogs, and TikTok like wildfire.  The Plaza Azteca settlement should serve as a cautionary tale, as the David and Goliath/management vs. labor story regarding the settlement for improper wage withholding has been a regional media story and could damage their brand and adversely affect revenue.

The post Fair Labor Standards Act, Wage Theft, and Misclassification appeared first on CWM Law.

              As a lawyer working with innovative and disruptive technology for about 10 years, I have been increasingly concerned with the role disinformation, particularly AI-enabled “deepfakes” could play in corrupting the reliability of evidence on which decision are made.  These decisions, reliant on the veracity of photo and video evidence, can take a variety of forms – political leaders making strategic decisions in international affairs, military commanders making targeting decisions, entertainment icons whose reputation can be burnished or destroyed by images, business leaders making decisions about product releases, and judicial outcomes in domestic and international courts.  The rules for assessing the reliability of photographs or videos in evidence, in the age of deepfakes, provide a useful template for assessing reliability and veracity of photographic or videographic evidence in other contexts.  In the age of AI-enabled deepfakes, the process of assessing reliability and veracity will become more complex, technical and deliberate.  Deepfakes make “lying eyes” no longer a joke, but an unpleasant fact as we grapple with the technology of truth.

Traditionally, in court, photo or video evidence is assessed in a two part linear process, which is, ultimately, a pure epistemological process: 

(1) a competent witness testifies to authenticate a photo or video as an accurate depiction of the occurrence or matter being represented, based on his or her memory; and

(2) the finder of fact assesses the photo or video for probative value. 

Because most people’s knowledge of the legal system comes from the movies and television, two scenes illustrate the two steps in the process reasonably well..

Part 1:  Authentication:

In the military courtroom thriller “A Few Good Men”, defense counsel Daniel Kaffee wields a “transfer order” before fact witness Colonel Nathan R. Jessup.  The defense theory was that the transfer order away from Guantanamo Bay, Cuba had been falsified to create the illusion that the murdered Private Santiago would have been safe from the lethal hazing of his fellow Marines, but for the intercession of the rogue Corporal Harold Dawson and Private Louden Downey.  The movie glosses over the transfer order’s authenticity.  In reality, for the prosecution to introduce the transfer order as a business record to show intent to transfer the Marine off the island to keep him safe, the personnel officer who signed the transfer order would have had to take the stand and answer questions like this:

• What is your duty position?
• What duties do you perform routinely in that position?
• Are you familiar with transfer orders?
• What are transfer orders?
• What is their purpose?
• When do you prepare transfer orders?
• Where are these documents stored after they are prepared?
• Is it a regular part of your duties to keep and maintain records of this type?
• Are these documents of the type that would be kept under your custody or control?
• Are you familiar with this transfer order (Private Santiago’s transfer order)?
• Do you recall preparing this transfer order?
• Do you recall directing someone under your supervision to prepare this transfer order?
• Do you recall whether that person actually prepared the transfer order?
• Was this transfer order prepared in the ordinary scope of business in your military unit?
• Do you recognize the signature on the document?
• Whose signature is that?  (the personnel officer’s)

After satisfactorily laying this foundation, the prosecutor would have moved the document into evidence.  Of course, in the case of Private Santiago’s transfer order, the personnel officer would have had to perjure himself to lay this foundation, because the transfer order was fabricated after the murder to cover the tracks of the officers directing the hazing that led to the Marine’s death.  In point of fact, the purpose of authentication is that a live witness is able to testify truthfully under oath that a certain document, photo or video is in fact genuine, real, and an accurate record or depiction.

Only after authentication and introduction is the exhibit – the piece of documentary, photographic or videographic evidence – assessed for probative value – that is, how convincing it is to establish the fact it purports to establish.

Part 2:  Probative Value:

In 1992, Joe Pesci played first time trial lawyer and many time bar exam taker Vinny Gambini in a crime drama/comedy about a murder trial where his young cousin and his friend are falsely accused of murder in a convenience store heist gone bad.  In one pivotal scene, attorney Gambini illustrates this process with surprising alacrity as he uses witness and girlfriend Mona Lisa Vito assess a key photo’s probative value, even as the parties appear to skip the entire photo authentication step.  For the purposes of this exercise, we can assume both sides stipulated to the authenticity of the photo showing dual tire marks leaving the scene of the crime and jumping a curb.

Mona Lisa Vito: The car that made these two, equal-length tire marks had positraction. You can’t make those marks without positraction, which was not available on the ’64 Buick Skylark!

Vinny Gambini: And why not? What is positraction?

Mona Lisa Vito: It’s a limited slip differential which distributes power equally to both the right and left tires. The ’64 Skylark had a regular differential, which, anyone who’s been stuck in the mud in Alabama knows, you step on the gas, one tire spins, the other tire does nothing.

Juror #1: That’s right.

Vinny Gambini: Is that it?

Mona Lisa Vito: No, there’s more! You see? When the left tire mark goes up on the curb and the right tire mark stays flat and even? Well, the ’64 Skylark had a solid rear axle, so when the left tire would go up on the curb, the right tire would tilt out and ride along its edge. But that didn’t happen here. The tire mark stayed flat and even. This car had an independent rear suspension. Now, in the ’60s, there were only two other cars made in America that had positraction, and independent rear suspension, and enough power to make these marks. One was the Corvette, which could never be confused with the Buick Skylark. The other had the same body length, height, width, weight, wheelbase, and wheel track as the ’64 Skylark, and that was the 1963 Pontiac Tempest.

Vinny Gambini: And because both cars were made by GM, were both cars available in metallic mint green paint?

Mona Lisa Vito: They were!

Vinny Gambini: Thank you, Ms. Vito. No more questions. Thank you very, very much.

[kissing her hands]

Vinny Gambini: You’ve been a lovely, lovely witness.

Having established Ms. Vito’s bona fides to testify on the matter of automobile technical and mechanical characteristics, to which the prosecutor ultimately stipulated, this line of questioning turned out to be extraordinarily probative on the issue of whether there were two similar cars in the area of the murder – one driven by Mr. Gambino’s cousin, and one driven by the murderer who robbed the store.

The danger of deepfakes, in court or in extrajudicial life, is that they constitute synthetic or manufactured evidence.  In court, they cannot be authenticated absent perjury or an egregious testimonial error that can be exposed on cross-examination, so arguably Model Rule of Evidence 901 already is sufficient to keep out deepfake evidence.  However, assuming deepfake evidence is allowed to enter into evidence in court, the integrity of the second prong – probity – is threatened by their mere existence.  The control for ensuring unreliable deepfakes do not corrupt the evidentiary system of American courts hinges on authentication. 

Authenticating digital images: 

Because digital photographs and videos can be so easily manipulated, altered, or changed, authenticating digital media requires a witness – sometimes the photographer or videographer, and sometimes a third party witness familiar with the scene depicted in the photograph or video, to give “pictoral testimony” wherein the witness testifies the media is a true (or accurate) accurate representation of what the person saw, from memory.  As with all evidence, courts rely on the adverse part to expose altered evidence through cross-examination or impeachment by extrinsic evidence.  This is not a new problem.

There is no heightened authenticity standard for digital media, even though they are relatively easy to manipulate.  Over time, some legal commentators have argued for a more stringent, demanding foundation, including, perhaps, a requirement to certify the photograph is unaltered.  The current standard only requires introduction of prima facie evidence of authenticity, which shifts the burden to the opponent to challenge the authenticity.  Faith in the adversarial system substitutes for a higher initial threshold of reliability.  This is a fairly well settled proposition.

The New and Unique Challenge of Deepfakes and an Evidentiary Rule Modification

Deepfakes present a new and relatively unprecedented challenge by virtue of the fact they often are not manipulated or altered media, but are completely fictionalized from the ground up.  Dr. Maura Grossman, a computer scientist from Canada’s University of  Waterloo, and Honorable Paul W. Grimm (Retired), a former U.S. District Judge from Maryland, now a professor at Duke University, recognize the unique and extraordinary threat to the evidentiary system presented by deepfakes.  They have co-authored a Proposed Modification of Current Rule 901(b)(9) to address authentication issues regarding Artificial Intelligence evidence to the Advisory Committee on Evidence Rules, which met on October 27. 

Federal Rule of Evidence 901 (and Model Rule of Evidence 901) currently states:

(a) General provision. The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.

(b) Illustrations. By way of illustration only, and not by way of limitation, the following are examples of authentication or identification conforming to the requirements of this rule:

(1) Testimony of witness with knowledge. Testimony that a matter is what it is claimed to be.

(2) Nonexpert opinion on handwriting. Nonexpert opinion as to the genuineness of handwriting, based upon familiarity not acquired for purposes of the litigation.

(3) Comparison by trier or expert witness. Comparison by the trier of fact or by expert witnesses with specimens which have been authenticated.

(4) Distinctive characteristics and the like. Appearance, contents, substance, internal patterns, or other distinctive characteristics, taken in conjunction with circumstances.

(5) Voice identification. Identification of a voice, whether heard firsthand or through mechanical or electronic transmission or recording, by opinion based upon hearing the voice at any time under circumstances connecting it with the alleged speaker.

(6) Telephone conversations. Telephone conversations, by evidence that a call was made to the number assigned at the time by the telephone company to a particular person or business, if

(A) in the case of a person, circumstances, including self-identification, show the person answering to be the one called, or

(B) in the case of a business, the call was made to a place of business and the conversation related to business reasonably transacted over the telephone.

(7) Public records or reports. Evidence that a writing authorized by law to be recorded or filed and in fact recorded or filed in a public office, or a purported public record, report, statement, or data compilation, in any form, is from the public office where items of this nature are kept.

(8) Ancient documents or data compilation. Evidence that a document or data compilation, in any form,

(A) is in such condition as to create no suspicion concerning its authenticity,

(B) was in a place where it, if authentic, would likely be, and

(C) has been in existence 20 years or more at the time it is offered.

(9) Process or system. Evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.

(10) Methods provided by statute or rule. Any method of authentication or identification provided by Act of Congress or by other rules prescribed by the Supreme Court pursuant to statutory authority.

Dr. Grossman and Judge Grimm propose an amendment to subparagraph (9) which states:

(9) Evidence about a Process or System.  For an item generated by a process or system:

(A) Evidence describing it and showing that it produces a reliable result; and

(B)If the proponent concedes that — or the proponent provides a factual basis for suspecting that — the item was generated by artificial intelligence, additional evidence that:

(i) Describes the software or program that was used; and

(ii) Shows that it produced reliable results in this instance.

The revised rule places primacy on “reliability” over “accuracy” and clarifies the trial judge also has an obligation to make a decision on the preliminary question of admissibility under Federal Rule of Evidence 104(a).  Dr. Grossman and Judge Grimm maintain the judge’s role as evidentiary gatekeeper while supplying new and revised standards which would apply to the unique category of AI-assisted or AI-generated evidence, including deepfakes.  The question remains whether the subtle shift to “reliability” over “accuracy” would be sufficient to bar the introduction of deepfakes as probative evidence, given the process continues to rely on litigants’ and judges’ understanding of the technology and the ability of an opponent of the evidence to test it adequately through cross-examination and extrinsic impeachment evidence.

The struggle over this issue in the Federal Rules of Evidence, which are orderly and process bound, portends a far less methodical process for assessing the “reliability” of deepfake evidence in other contexts less bound by rules and procedure.  Deepfakes will challenge the courts in the coming years and decades, but threaten the foundations of society through disinformation in other contexts.

Judging the authenticity of deepfakes outside of court, where images and videos affect decisions of people in real time, is fraught with even more risk.  In court, there is a process for vetting images and photos by applying rules of evidence and only admitting evidence that presents sufficient indicia of reliability.  In the 24 hour global news cycle, the process is less structured and more fluid, and people make decisions more rapidly based on what they see without properly evaluating whether it is real.  The danger becomes more acute as AI becomes more perfected and deepfakes appear to be more authentic to the naked eye.  Deepfakes represent the most formidable form of disinformation and challenge to authenticity in truth for all time, or certainly since kings could order the authoring of whole manuscripts and have them circulated as history.  Finally, the impact on markets which rely on uniqueness and genuineness, such as art, cryptocurrency, and NFTs is apparent – the replication of counterfeits in an AI-driven enterprise could devalue entire markets to zero in a flash.

Ironically, technology has simultaneously made access to truth more accessible – through photography, image enhancement, satellite imagery, GPS, electronic recordkeeping, and the application of science – and more difficult – through deepfakes, disinformation and other forms of spoofing facts.  One thing is certain:  understanding the technology of truth is not an option for judges, legal professionals, diplomats, general and admirals, business groundbreakers, and political leaders.  Nothing is necessarily as it seems any more, and deliberate, fast processes are required to separate fact from fiction, in court, in business, in government and in diplomacy.

________________________________

Crenshaw, Ware & Martin PLC is a 100-year old Norfolk business law firm.  Our legal professionals stay on the cutting edge of issues that affect business, including those creating, distributing or working with advanced technologies such as cybersecurity systems, artificial intelligence and autonomous systems.  Contact Managing Partner Darius Davenport at DDavenport@cwm-law.com, Business Disputes and Government Contracting Practice Group Chair Ryan Snow at WRSnow@cwm-law.com, Litigation Practice Group Chair Jim Chapman at JChapman@cwm-law.com, or Attorney Robert Bracknell at RBracknell@cwm-law.com for assistance and counsel on these complex issues at the intersection of law, business and technology.

The post Lying Eyes:  Deepfakes, Rules of Evidence, and Disinformation appeared first on CWM Law.

SolarWinds is an Austin, Texas software company that provides system management tools and other technical services to hundreds of thousands of organizations globally, including tech companies, corporations, and government bodies.  “Orion” is a SolarWinds IT performance monitoring system which has privileged access to IT systems to obtain log and system performance data.  Orion’s reach into systems and wide deployment made it an attractive target for hackers.  The attack on Orion is the largest and most consequential cyberattack in history.

Microsoft named the group of hackers – most likely sourced from a nation-state as opposed to private hackers – “Nobelium.”  The hackers – almost certainly Russian – gained unauthorized access to the data, networks and systems of thousands of public and private organizations – and, equally or more importantly – the data and networks of their customers and partners.  This allowed the attack to metastasize into epic proportions, via a “supply chain attack” to introduce malicious code into Orion.  Orion then created a backdoor through which hackers were able to access and impersonate users and accounts of target organizations.  The malware was so advanced, it blended in with legitimate SolarWinds activity without detection.  SolarWinds tools’ ubiquity permitted unprecedented breadth of access.  More than 18,000 SolarWinds customers installed malicious updates, which then propagated.

The breach was first detected by cybersecurity company FireEye, which worked with Microsoft and GoDaddy to block and isolate infected version of Orion by installing a kill switch.  The hack’s “dwell time” – the time between the hack and its discovery – was over a year, when the average in 2019 was 95 days.  The depth and breadth of the SolarWinds attack was so significant the attack may serve as the catalyst for broad change in the cybersecurity industry.  SolarWinds represents a flashing red light with regard to conventional approaches to cybersecurity, particularly focusing on supply chain security, which also presented vulnerabilities in the Colonial Pipeline attack in May 2021 and the Kaseya ransomware attack in July 2021.  The first major action by the federal government was prescription of a “software bill of materials” by Executive Order on May 12, 2021. 

In June 2023, SolarWinds revealed in an SEC Form 8-K filing (a regularly scheduled “current report” publicly traded companies must file with the SEC to announce major events that shareholders should know about) the company had received “Wells Notices” – a colloquial term for notifications issued by the SEC to inform companies of “completed investigations where infractions have been discovered”.  The notices are named after 1972 independent “Wells Committee”, a commission formed to review the enforcement practices and policies of the SEC.  SolarWinds also settled a lawsuit in October 2022 to settle claims by shareholders that SolarWinds neglected internal security preceding the breach and misled the public about its digital security.

Yesterday, October 30, 2023, the SEC filed a civil action against SolarWinds and its CISO alleging prior to the attack the company and the CISO “concealed both the company’s poor cybersecurity practices and its heighted – and increasing – cybersecurity risks.”  The SEC action alleges SolarWinds’ “public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities and cyberattacks.”  SolarWinds’ attorney immediately protested, “The SEC is improperly trying to appoint itself the cybersecurity police for public companies [which] should alarm all public companies and cybersecurity professionals across the country.”

Properly or improperly, herein lies the point:  the SEC may or may not be successful in their civil action, but public companies are on notice – again – this federal administration, and the SEC in particular, are serious about businesses accurately and realistically assessing and reporting cybersecurity risk, which should drive increased investment and professionalization of corporate cybersecurity practices.  This trend with public companies will eventually bleed over to privately held companies, particularly as bankers assess cybersecurity risk with regard to creditworthiness and private and institutional investors consider where to capitalize.  Another key point is the SEC is not only seeking enforcement against the company, but also against the CISO personally.  Finally, a factor to watch is whether state regulators, particularly Attorneys General, follow this trend.

Crenshaw, Ware & Martin PLC is ready to help your business conduct training, perform cybersecurity risk assessments, and formulate a compliance plan to manage cybersecurity threats for Virginia or Virginia-facing businesses, including publicly traded companies. The firm can also assist with integrating cybersecurity risk management into corporate ESG/CSR programs in response to customer, investor, and supplier demands and expectations. Contact Darius Davenport, Managing Partner, or Butch Bracknell, Attorney, at 757.623.3000, or by email at DDavenport@cwm-law.com or RBracknell@cwm-law.com.

The post New SEC enforcement action against Solar Winds and its CISO appeared first on CWM Law.

HIGHLIGHTS

• The new rules only apply to publicly traded companies in terms of enforceability.
• The new rule frames cybersecurity as a business risk for the purpose of disclosure to investors.
• The new rules are a reflection of a possible bow wave of public expectations regarding businesses publicly disclosing cyber incidents and maintaining cyber governance and oversight regimes in privately held companies.
• Both public and privately held companies should consider the impacts of cybersecurity incidents, disclosures and governance on CSR/ESG strategies and programs to promote digital trust and meet supplier, investor and customer demands and expectations.
• Compliance dates range from December 2023 for most companies to June 2024 for smaller companies.
• For “material cybersecurity incidents”, companies must disclose their existence within four business days of being “deemed material.”  Otherwise, disclosure must occur annually.

Cybersecurity Incidents and Materiality.  The rule defines “cybersecurity incidents” as “an unauthorized occurrence, or a series of unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein.”  It makes no distinction between deliberately caused incidents (“hacks”) or accidents.  Materiality triggering rapid disclosure is subjective and incorporates factors such as the complexity of the registrant’s information, the importance of the information to the company’s operations, and the nature and extent of the information compromised.  The material incident disclosure requirement includes the “material aspects of the nature, scope and timing of the incident” and the “material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.”  For example, a malicious cyber actor who accesses and downloads 100,000 customer financial files in a publicly traded bank is likely “material.”  An inadvertent temporary posting on the same bank’s website of the city of residence of 100,000 customers without any other identifying information likely is not “material.”  Materiality determinations must be made “without unreasonable delay.”  The SEC rule cites TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976) in providing that information is material if (1) there is “a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision” or (2) disclosure of the information would have been viewed by the reasonable investor as having “significantly altered the total mix of information made available.”  In fact, these two elements are nearly identical, in that the second factor only has meaning in light of the first factor.  Companies may also be required to disclose third party incidents if they are material to the company’s data and operations.  Finally, there are certain national security exemptions for disclosure that authorize delay upon approval of the U.S. Department of Justice.  For example, a hack of an important defense aerospace contractor by an adversary state might be delayed from public disclosure where disclosure of the hack would otherwise harm the U.S. government’s ability to contain or attribute the cyber incident by placing the hacking state on notice that their cyber intrusion had been detected and remediated.

Obviously, the risk of publicly disclosing proprietary corporate information that can place the company at a competitive disadvantage is high.  The rule also notes companies are not required to disclose specific or technical information that could affect incident response or reveal potential system vulnerabilities.

Risk Management

The rule also requires publicly traded companies to disclose their cybersecurity risk management processes including whether cybersecurity risk has been integrated into corporate risk management processes, whether the company seeks outside expert consultants, and whether the company has designed processes to identify third party material risks.  Companies which have not yet begun integrating cybersecurity risk into their risk management processes should be mindful of the published compliance dates and redouble their efforts sooner rather than later.

Corporate Governance:  Boards and Management

Finally, the rule places a burden on the board of directors to ensure they are maintaining adequate oversight of cybersecurity risks, forming committees responsible for oversight, and designing processes by which the board or committee is informed of cybersecurity risk.  Managers are charged with similar responsibilities regarding assessing and managing cybersecurity risks and procedures for board reporting.

Future Rulemaking

The SEC has published a proposed rule, now moving through the rulemaking process, which provides similar responsibilities on a range of financial advisers and funds, and is contemplating broader ranging rules that cover broker-dealers, clearing agencies, national securities associations and exchanges, transfer agents, and other related actors.

In short, the new SEC rule places substantial responsibility on publicly traded companies to move quickly with regard to their cybersecurity risk management, reporting and oversight responsibilities, while also moving forward on expanding these new responsibilities to other categories of financial companies, brokers, and associated companies.  For closely held companies, the rule may provide a window into the appetites of investors, customers and suppliers regarding due diligence expected in cybersecurity risk management.

Crenshaw, Ware & Martin PLC is ready to help your business conduct training, perform cybersecurity risk assessments, and formulate a compliance plan to manage cybersecurity threats for Virginia or Virginia-facing businesses, including publicly traded companies.  The firm can also assist with integrating cybersecurity risk management into corporate ESG/CSR programs in response to customer, investor, and supplier demands and expectations. Contact Darius Davenport, Managing Partner, or Butch Bracknell, Attorney, at 757.623.3000, or by email at DDavenport@cwm-law.com or RBracknell@cwm-law.com. 

[1] 17 CFR Parts 229, 232, 239, 240, and 249, available at https://www.sec.gov/files/rules/final/2023/33-11216.pdf.

The post Securities and Exchange Commission Final Rule on Cybersecurity appeared first on CWM Law.

The Act has a limited scope, focusing on larger businesses, and applies to:

• “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth”

AND

EITHER:

• Controls or processes personal data of at least 100,000 consumers during a calendar year

OR

• Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The 25,000 and 100,000 consumer metric requirements are limited to Virginia residents acting in an “individual or household context.” Personal Health Information is also generally exempted.

The term “conduct business” is undefined by the Act, but activities that generate taxable revenue in Virginia or the obligations of which might be enforced in Virginia courts likely qualify. In other words, if a business’ activities generate Virginia taxable income or could result in suing or being sued in Virginia courts, the business is conducting business in Virginia for the purposes of applying the Act. Applicability to nonprofit organizations is unclear, but nonprofits engaging in transactions (contract performance, grant performance, employing persons, handling data) are virtually indistinguishable for the purposes of the Act from for-profit businesses and should manage their risk accordingly.

The statute creates the following rights for consumers:

• to verify whether a data controller is processing the consumer’s personal data
• to confirm the personal data and correct inaccuracies;
• to delete personal data;
• to obtain a copy of their personal data;
• to data portability (easy portable access to all pieces of personal data held by a company);
• to opt out of the processing of the personal data for certain commercial purposes such as targeted advertising;
• to opt out of the sale of their personal data;
• to opt out of profiling based upon personal data; and
• to not be discriminated against for exercising any of the rights granted by the Act.

The Act requires companies to obtain consent prior to collecting and processing sensitive personal data (including geolocation data, data about protected characteristics like gender or sexual orientation, and genetic or biometric data). As an initial protection measure, the Act requires companies engage in minimization practices by holding the data for a specific business purpose and for so long as necessary to achieve that purpose. The Act compels companies to protect the confidentiality, integrity, and accessibility of personal data by implementing and maintaining reasonable data security practices consistent with industry standards. Finally, the Act mandates that companies conduct data protection assessments when processing sensitive data or engaging in certain activities such as targeting advertising.

Where a consumer exercises his or her rights under the Act, the data controller has 45 days to respond. The Act is silent on whether the business may pass administrative costs regarding the exercise of these rights to the consumer.

The data controller must establish an appeal process for the consumer to challenge actions he or she believes are inconsistent with the Act, and further appeals may be referred to the Attorney General. Importantly, there is no private right of action for consumers; all enforcement is the province of the Attorney General. The statute permits a 30-day period to cure any violation, enforceable by a $7,500 penalty per violation.

The Act is not the first (and certainly not the last) piece of state legislation posing compliance risk to Virginia companies and nonprofits. The California Consumer Privacy Act, amended this year by the California Privacy Rights Act, applies to any company that transacts certain business in California. Internationally, the European General Data Protection Regulations may pose compliance and enforcement risk for companies transacting business with European data subjects. Both the CCPA and the GDPR have more enforcement teeth than the Act because the latter has no private right of action to enforce. Yet the reputational risk to businesses in the event of a data breach showing noncompliance with the Virginia Act could be damaging enough to encourage Virginia business––or businesses that serve Virginia consumers––to protect adequately consumer data.

Crenshaw Ware & Martin, PLC is ready to help your business conduct training, assess data security policies and compliance and formulate a compliance plan to manage data protection risk for Virginia or Virginia-facing business. CWM can also assist with CCPA and GDPR compliance planning.

CWM also offers an outsourced, independent appeal process for VCDPA consumer appeals, including compliance analysis and generation of an appeal decision report.

Contact Darius Davenport, Managing Partner, or Butch Bracknell, Attorney, at (757) 623-3000, or by email at DDavenport@cwm-law.com or RBracknell@cwm-law.com.

Code of Virginia § 18.2-186.6. Breach of personal information notification

A. As used in this section:
“Breach of the security of the system” means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth. Good faith acquisition of personal information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the personal information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

“Encrypted” means the transformation of data through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without the use of a confidential process or key, or the securing of the information by another method that renders the data elements unreadable or unusable.

“Entity” includes corporations, business trusts, estates, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, or instrumentalities or any other legal entity, whether for profit or not for profit.

“Financial institution” has the meaning given that term in 15 U.S.C. § 6809(3).

“Individual” means a natural person.

“Notice” means:

1. Written notice to the last known postal address in the records of the individual or entity;
2. Telephone notice;
3. Electronic notice; or
4. Substitute notice, if the individual or the entity required to provide notice demonstrates that the cost of providing notice will exceed $50,000, the affected class of Virginia residents to be notified exceeds 100,000 residents, or the individual or the entity does not have sufficient contact information or consent to provide notice as described in subdivisions 1, 2, or 3 of this definition. Substitute notice consists of all of the following:
   a. E-mail notice if the individual or the entity has e-mail addresses for the members of the affected class of residents;
   b. Conspicuous posting of the notice on the website of the individual or the entity if the individual or the entity maintains a website; and
   c. Notice to major statewide media.

Notice required by this section shall not be considered a debt communication as defined by the Fair Debt Collection Practices Act in 15 U.S.C. § 1692a.

Notice required by this section shall include a description of the following:
(1) The incident in general terms;
(2) The type of personal information that was subject to the unauthorized access and acquisition;
(3) The general acts of the individual or entity to protect the personal information from further unauthorized access;
(4) A telephone number that the person may call for further information and assistance, if one exists; and
(5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.

“Personal information” means the first name or first initial and last name in combination with and linked to any one or more of the following data elements that relate to a resident of the Commonwealth, when the data elements are neither encrypted nor redacted:

1. Social security number;
2. Driver’s license number or state identification card number issued in lieu of a driver’s license number;
3. Financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts;
4. Passport number; or
5. Military identification number.

The term does not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.

“Redact” means alteration or truncation of data such that no more than the following are accessible as part of the personal information:

1. Five digits of a social security number; or
2. The last four digits of a driver’s license number, state identification card number, or account number.

B. If unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person and causes, or the individual or entity reasonably believes has caused or will cause, identity theft or another fraud to any resident of the Commonwealth, an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay. Notice required by this section may be reasonably delayed to allow the individual or entity to determine the scope of the breach of the security of the system and restore the reasonable integrity of the system. Notice required by this section may be delayed if, after the individual or entity notifies a law-enforcement agency, the law-enforcement agency determines and advises the individual or entity that the notice will impede a criminal or civil investigation, or homeland or national security. Notice shall be made without unreasonable delay after the law-enforcement agency determines that the notification will no longer impede the investigation or jeopardize national or homeland security.

C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.

D. An individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee of the information of any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonably believes the personal information was accessed and acquired by an unauthorized person.

E. In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a (p), of the timing, distribution, and content of the notice.

F. An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information that are consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if it notifies residents of the Commonwealth in accordance with its procedures in the event of a breach of the security of the system.

G. An entity that is subject to Title V of the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.) and maintains procedures for notification of a breach of the security of the system in accordance with the provision of that Act and any rules, regulations, or guidelines promulgated thereto shall be deemed to be in compliance with this section.

H. An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures, or guidelines established by the entity’s primary or functional state or federal regulator shall be in compliance with this section.

I. Except as provided by subsections J and K, pursuant to the enforcement duties and powers of the Office of the Attorney General, the Attorney General may bring an action to address violations of this section. The Office of the Attorney General may impose a civil penalty not to exceed $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation. Nothing in this section shall limit an individual from recovering direct economic damages from a violation of this section.

J. A violation of this section by a state-chartered or licensed financial institution shall be enforceable exclusively by the financial institution’s primary state regulator.

K. Nothing in this section shall apply to an individual or entity regulated by the State Corporation Commission’s Bureau of Insurance.

L. The provisions of this section shall not apply to criminal intelligence systems subject to the restrictions of 28 C.F.R. Part 23 that are maintained by law-enforcement agencies of the Commonwealth and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN), established pursuant to Chapter 2 (§52-12et seq.) of Title 52.

M. Notwithstanding any other provision of this section, any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld pursuant to Article 16 (§58.1-460et seq.) of Chapter 3 of Title 58.1 shall notify the Office of the Attorney General without unreasonable delay after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a taxpayer identification number in combination with the income tax withheld for that taxpayer that compromises the confidentiality of such data and that creates a reasonable belief that an unencrypted and unredacted version of such information was accessed and acquired by an unauthorized person, and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud. With respect to employers, this subsection applies only to information regarding the employer’s employees, and does not apply to information regarding the employer’s customers or other non-employees.

Such employer or payroll service provider shall provide the Office of the Attorney General with the name and federal employer identification number of the employer as defined in §58.1-460that may be affected by the compromise in confidentiality. Upon receipt of such notice, the Office of the Attorney General shall notify the Department of Taxation of the compromise in confidentiality. The notification required under this subsection that does not otherwise require notification under this section shall not be subject to any other notification, requirement, exemption, or penalty contained in this section.

[1] https://law.lis.virginia.gov/vacode/title59.1/chapter53/

The post The Virginia Consumer Data Protection Act appeared first on CWM Law.

Cybersecurity Awareness Month, annually observed in October in the U.S., is an excellent time to reflect on cybersecurity practices, training, business risks, and strategies to manage this risk for companies. Annually, cyber incidents (intrusions, breaches, and similar security gaps) cost U.S. businesses disproportionately more than the costs associated with active cybersecurity risk management. For example, cybercrime is up 600% due to the COVID-19 pandemic, as more people work from home and are online more hours each day. Cybercrime estimates top $10.5 trillion – TRILLION – annually by 2025. 

The average cost of a data breach to a U.S. business or organization is about $2.98 million, and phishing costs, on average, $14.8 million per successful attack. Some of these costs can be avoided and risks mitigated for businesses and organizations through investment in cyber defense capabilities and kit, smart employment policies, effective training integrating applicable ISO standards, and enforcement of cyber hygiene practices.

Cybersecurity hygiene and risk management primarily come down to the end user. Security is a journey, not a destination. The tools, patches, systems, and networks are helpful. Still, effective cybersecurity postures depend disproportionately on the conduct and cyber discipline of the end user, their training, personal and professional restraint, and instincts. Purchasing a full security stack of tools does not finish the job. It’s just the beginning.

Personal cyber hygiene practices are almost always the number one risk for organizations. Hollywood portrays complex hacking efforts that can penetrate networks without help – which is true – but most intrusions and hacks start with a virtual invitation by a network insider through phishing, spoofing, or similar techniques. One good analogy is that a thief can steal money by cracking a safe in a bank vault, or he can walk right into an open door at the bank where the cash drawers have been left unguarded, and the safe deposit boxes have the keys unattended.

Companies ranging from publicly traded multinational corporations to privately held C and S corporations, small business LLCs and partnerships, to nonprofits and public institutions have scaled cybersecurity interests. These different business and corporate organizations are not neatly binned, because cybersecurity is matrixed – multinational corporations often make grants to nonprofits; university research foundations frequently exchange data with companies, hospitals, and grant sponsors.

Cybersecurity risk is not wholly reliant on a company’s hygiene and employee practices but also on the cybersecurity posture of partners with which organizations do business. Moreover, for federal contracts, cybersecurity standards can be imposed on subcontractors via flowdown clauses. Organizations should also consider negotiating cybersecurity incident indemnification clauses into contracts and ensuring adequate insurance coverage. Considering partner cyber hygiene practices is an essential consideration in engaging in transactions, pricing, and regulatory/compliance planning.

This factor is markedly true in mergers and acquisitions. Organizations must actively assess and manage risk when deciding in whom to entrust the keys to the cybersecurity kingdom.

Security culture can also be generational.  Generation Z are digital natives – that is, a person born and matured during the information age of digital technology from birth, rather than having had to learn it as adults – yet the National Cybersecurity Alliance has been found to “have higher cyber incident victimization rates” than older generations.[1]  Why?  First, they’re more immersively connected – with tech familiarity comes more ubiquitous connectivity, and thus more opportunities for mischief or mistakes through “security fatigue.”  Another reason is that cybersecurity is often taught in the workplace, but seldom is taught in schools.  New high school and college graduates entering the workforce may present a particular vulnerability until effective organizational training and policy enforcement takes hold.  Finally, younger people may be more open to the proposition that information is a public good, and therefore efforts to protect and segregate it are bad.  This may be philosophically appealing, but commercially naïve in an era of foreign intelligence lurking, ransomware, denial of service attacks, and economic espionage.  The Massachusetts Air National Guardsman who leaked a trove of Top Secret documents in 2022 until his arrest in April 2023 did so by posting them in Discord chat rooms to benefit his online gaming activities, not any nefarious activity related to espionage.  According to the charging documents, he may have been simply too inexperienced to understand the consequences of his actions.

Finally, businesses, nonprofits, and public organizations must build cybersecurity training and compliance policies into employment handbooks and contracts. Organizations must be willing to enforce these policies through progressive discipline where warranted and consider more drastic measures where an employee or contractor’s conduct, willful or negligent, exposes the company or nonprofit to increased cybersecurity risk. In the right circumstances, an employee’s error can pose a catastrophic or even existential threat to a company.

Halloween ends Cybersecurity Awareness Month, and while this commentary has been a bit of a parade of horribles, it is not intended to be scary – only to inspire organizational leaders and managers to be wary. No cybersecurity risk management plan is foolproof, but organizations can manage risk through well-planned and resourced cybersecurity infrastructure, hiring, training, policy development, business processes, and enforcement of standards.

Troy McCollum is the founder and CEO of Layer 9 IT,  Virginia full service outsourced IT company focused on the legal, financial and medical verticals.  https://www.layer9it.com

Butch Bracknell is a cybersecurity and business law attorney with the Norfolk law firm of Crenshaw, Ware and Martin PLC.  Crenshaw Ware & Martin has been providing business counsel for Hampton Roads, Virginia, and Eastern North Carolina businesses for 100 years.  www.cwm-law.com 

[1] Claire Nuñez, How to Embed Gen Z in Your Organization’s Security Culture, Security Intelligence, December 15, 2022, available at https://securityintelligence.com/x-force/gen-z-cybersecurity-culture. 

The post Cybersecurity and the Workforce:  Strengthening Weak Links appeared first on CWM Law.

The post Decision could change how contractors sue VDOT appeared first on CWM Law.