On March 8, the U.S. Department of Justice announced a $930,000 settlement with Comprehensive Health Services, LLC for alleged violations of the False Claims Act. As DOJ’s first resolution of a False Claims Act enforcement action involving cyber fraud since launching its Civil Cyber-Fraud Initiative in October 2021, this settlement signals the DOJ’s eagerness to

Investing in artificial intelligence (AI) companies has become a riskier and more involved process than in previous years.  Companies need new processes and tools to follow the more stringent AI regulations that are on the horizon (at least in Europe and the United States).  Regulators are discussing how best to structure AI regulations in order to align risk management with optimizing the potential value creation of these technologies.  Investors should take a similar approach in their investment strategy. Read on for a discussion of the considerations investors should keep in mind as they vet their investment pipeline.
Continue Reading Tech Investing Part III: Investing in AI

Threats to cybersecurity and data privacy are constantly increasing both in volume and complexity.  This trend is expected to continue in 2022.  In a bid to protect cybersecurity and ensure data is properly safeguarded, countries around the world are introducing new laws focused on cybersecurity and data protection.  Armed with new legal frameworks, regulators and law enforcement are placing onerous obligations on organisations who fall victim to cybersecurity breaches.  There are shorter deadlines in which to notify the authorities of data breaches and ever increasing fines and penalties for businesses that fail to respond swiftly and appropriately to a cyberattack.

In this ever-changing area what is on the horizon for 2022?Continue Reading Cybersecurity and Data Privacy – What to expect in 2022

On Nov. 4, the Department of Defense announced significant changes to the Cybersecurity Maturity Model Certification program, intended to simplify the certification standard and prioritize protection of certain types of controlled defense information.

Read on for an overview of the changes, a timeline for their implementation and implications for defense contractors.

Amazon’s financial records have revealed that the Luxembourg data protection supervisory authority, the Commission Nationale pour la Protection des Données (“CNPD”), is fining the retailer’s European arm (Amazon Europe Core S.à.r.l.) an eyewatering 746 million euros (£636m or $838m) for breaches of the EU’s General Data Protection Regulation (“GDPR”).

When the GDPR was introduced in May 2018, the potential for huge financial sanctions grabbed many headlines: it gives European supervisory authorities the power to impose fines of up to 20 million euros or 4% of annual global turnover (whichever is greater) for breaches of the GDPR. There have been some undeniably sizeable fines issued under the GDPR in the last three years. But the level of this particular fine is extraordinary: it’s the largest GDPR fine issued to date by a considerable margin. The second largest fine ever imposed under the GDPR was a comparatively paltry 50 million euros, levied against Google by CNIL (the French supervisory authority) in early 2019 (which you can read about here).Continue Reading CNPD v. Amazon, the largest GDPR fine on record – what do we know so far?

New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on

Yesterday, the Supreme Court resolved a circuit split on the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) in a decision that emphasizes the importance of how organizations manage access to their systems.  Employees with access to information at work sometimes access that information with improper motives, and in violation of office policies.  This inappropriate use of access has led to federal criminal prosecution for some.  In Van Buren v. United States, No. 19-783, the United States Supreme Court held that the CFAA is not properly applied to justify those prosecutions.

Nathan Van Buren was a police officer who accepted $6,000 from Andrew Albo, a participant in an FBI sting operation, to search a police database to determine whether a woman Albo professed interest in was an undercover police officer.  Van Buren ran a search for the woman’s license plate in the Georgia Crime Information Center database.  For doing so, Van Buren was charged and convicted of violating the CFAA, because he had “exceeded” his authority to access that database.Continue Reading Federal Law Won’t Protect Your Organization from Bad User Access Control Practices

On May 12, President Biden signed an executive order mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses. This move follows a series of cyberattacks on private companies and federal government networks over the past year, including a recent incident that resulted in gasoline shortages along the U.S.

On April 14, 2021, the United States Department of Labor (the “DOL”) issued for the first time guidance to retirement plan sponsors, fiduciaries, record keepers, service providers and plan participants guidance on cybersecurity issues. The DOL’s press release includes three pieces of guidance, including: (1) Tips for Hiring Service Providers; (2) Cybersecurity Program Best Practices; and (3) Online Security Tips.

The Employee Benefits Security Administration, a sub-agency of the DOL (the “EBSA”) long ago stated that addressing cybersecurity has been on the agency’s “to do” list and even published a report in 2016 reflecting the need for such guidance, which we previously covered here.

The Employee Retirement Income Security Act of 1974, as amended (“ERISA”), includes fiduciary standards that require a retirement plan to be administered in accordance with a standard of care for a prudent person who is familiar with such matters. Common sense dictates that ERISA fiduciaries administer their plans in accordance with industry standards for cybersecurity, safeguard plan assets and ensure that appropriate controls are in place to avoid financial losses to plans that may result from a cybersecurity breach. However, the legal issues concerning who is responsible (plan participant, plan sponsor or record keeper) remain open questions in many jurisdictions.Continue Reading DOL’s New Cybersecurity Guidance

The technology sector runs the gamut from artificial intelligence (AI), the Internet of Things (IoT) to SaaS companies or cybersecurity, and from the biggest household names to the smallest companies being operated out of garages. The rise of AI and traps for the unwary were previously covered here.  Risks of investing in SaaS Solutions can be found here and here.  Technology is everywhere in 2021, even in the smallest brick and mortar shops around.  Technology investing offers lucrative opportunities for investors large and small, but there are many traps for the unwary, such as “zero-day exploits.”
Continue Reading Tech Investing Part 1: Zero Hour