5GWith 5G, will your thermometer need malware protection?

With 5G, will your thermometer need malware protection?

5G is perhaps the biggest critical infrastructure build the world has seen in twenty-five years.  It will allow for the connection of millions of Internet of Things (“IoT’) devices.  However, with these added benefits comes related vulnerabilities and cybersecurity risks. 


What are the specific cybersecurity risks are associated with the 5G network?

First, the 5G network itself can pose many security risks.  The 5G infrastructure is built using many components, each of which may be corrupted through an insecure supply chain.  Significantly more software is being used allowing for more entry points and more potential vulnerabilities.  Similarly, more hardware devices are required (cell towers, beamforming devices, small cells, etc.), and each one of these hardware devices must be adequately secured.  Small, local cells may be more physically accessible and therefore subject to physical attack.  Further, 5G will be built, in part, on legacy 4G LTE components – which themselves can have vulnerabilities.

Second, with specific focus on IoT devices, cybersecurity protections will need to become much more granular and more capable of being deployed on less intelligent “Things.”  Historically, one could think of a Thing as a device that can be connected to a network, but which lacked sufficient processing power to handle more advanced computations.  Things are “dumb.”  By connecting a processor, we could make such dumb Things “smart.”  These new smart IoT devices are interesting vectors of attack by malicious actors and further confound overall cybersecurity programs.  The ability to detect a cyber attack on a light bulb will require additional cybersecurity solutions.

Finally, with 5G facilitating the implementation of more IoT devices, more sensitive data may be stored requiring the need to protect edge computers servicing the IoT device.  If we consider the ubiquity of thermometer scanning now and how those and similar IoT devices could easily become part of 5G, then we begin to understand the seemingly exponential possibility for threat vectors on our networks.  We may have sensitive data (Am I sick?  What time do I show up for work?) and we may have the concern that a malicious actor may look to infect a network through a Thing. Will thermometers need malware protection?  More devices arguably allow for more places for a hacker to attempt to attack and thus the possibility of a greater availability of distributed denial of service (DDOS) attacks.  There were reports of Things being used collectively to deny service with the LTE network.  With 5G, the concept of an army of coffee makers attacking by all issuing a request to an address will become a greater possibility and manufacturers could be liable to other parties if their insecure Things are used to deny the service of someone else.

Regardless of the attack vector, incident response practices are universal, and Octillo’s Incident Response Team can help prepare your team from IoT and other attacks.


What potential solutions are available to mitigate this risk?

Companies looking to incorporate 5G should partner with experienced tech counsel who can assist by reviewing contracts, conducting risk assessments, and evaluating and updating incident response plans and procedures to account for any additional risks associated with 5G.

In addition, there are already some attempts at governmental solutions.  In March 2020, President Trump issued a National Strategy to Secure 5G – requiring, in relevant part, that the Unites States must identify cybersecurity risks in 5G.

The CISA (Cybersecurity & Infrastructure Security Agency) also issued some documents relating to the security of 5G.  Similarly, we are seeing a push for international standards and certain untrusted companies have had their products banned from use.  The Federal government is using regulations to limit the adoption of equipment that may contain vulnerabilities.

So, what is the solution?  The same as always.  Innovation.  Businesses are encouraged to develop trusted solutions and innovation in this space.  Advanced cybersecurity monitoring and protection by design will continue to be needed.

The Octillo Team of lawyers, who are also technologists, is well-versed in new and emerging technologies and works with clients to facilitate innovation through the use of IP protections.  We also assist companies in the implementation new technologies, like 5G, taking into consideration the cybersecurity, data privacy, and regulatory obstacles associated with their use.  From patent acquisition to policy drafting and review, Octillo attorneys are here to help your company capitalize on innovation.

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

Meal Kit Provider - California Automatic Renewal LawCalifornia Automatic Renewal Laws and Recent Litigation

California Automatic Renewal Laws and Recent Litigation

Automatic renewal contracts have become ubiquitous in our everyday lives; however, few give thought to the laws and regulations governing them.  Whereas the federal government has regulations governing automatic renewal contracts[1], most states, similarly, have laws governing automatic renewal contracts, or automatic renewal laws (“ARL”).  Perhaps unsurprisingly, in 2009 California enacted one of the strictest ARLs intended to end the practice of charging consumer credit cards without a customers’ explicit consent for ongoing shipments of product or deliveries of a service.[2]

What is an Automatic Renewal under the Under California’s Automatic Renewal Law?

An “automatic renewal” is defined as “a plan or arrangement in which a paid subscription or purchasing agreement is automatically renewed at the end of a definite term for a subsequent term.”[3]  Similarly, a “continuous service” is defined as “a plan or arrangement in which a subscription or purchasing agreement continues until the consumer cancels the service.”[4]  While these definitions may appear to be esoteric, we encounter a number of automatic renewals or continuous services in our everyday lives – everything from meal kit boxes such as HelloFresh and Blue Apron, to monthly subscription boxes like Birchbox or LootCrate, to digital subscription services like Netflix, Hulu, Apple Music, or Spotify.

What Does California’s Automatic Renewal Law Require?

If a business wants to offer an automatically renewing contract it must:

  1. Clearly and conspicuously disclose, before a contract is fulfilled, the “automatic renewal offer terms” or “continuous service offer terms” of the contract;
  2.  Obtain the “affirmative consent” of a costumer to the “automatic renewal offer terms” or “continuous service offer terms”;
  3. Disclose any cancellation policies; and
  4. Provide notice of any “material changes” to the terms of the “automatic renewal offer terms” or “continuous service offer terms”[5]

What Terms Must Be Disclosed Under California’s Automatic Renewal Law?

The California automatic renewal law requires that “automatic renewal offer terms” and “continuous service offer terms” be disclosed in a clear and conspicuous manner before the contract is made or fulfilled and must include:

  1. That the subscription or purchasing agreement will continue until the consumer cancels;
  2. A description of the cancellation policy that applies to the offer;
  3. That reoccurring charges that will be charged to the consumer’s credit or debit card or payment account with a third party as part of the automatic renewal plan or arrangement and the among of the charge;
  4. The length of the automatic renewal term; and
  5. The minimum purchase obligation[6]

In 2018, the California ARL was amended to include that if the offer included a free gift or free trial than it must clearly and conspicuously notice the customer of the price that they will be charged and when the free trial expires.

What Happens If My Business Does Not Comply with California’s Automatic Renewal Law?

The California ARL does not provide for a private right of action, meaning a California resident cannot directly sue a business for violating the automatic renewal law.  The law simply provides that “all available civil remedies that apply to a violation of [the California ARL] may be employed.”[7] 

That is not to say that the California ARL is without teeth.  To be sure, an organization known as the California Auto Renewal Task Force (CART), made up of District Attorneys from a variety of Californian counties, has filed numerous actions against businesses for allegedly violating the ARL.  An action brought by CART recently settled with the business agreeing to pay $400,000 in penalties and an additional $150,000 in restitution for violating California ARL by failing to get the customers’ affirmative consent as outlined above.[8]

Are There Any Other Concerns If My Business Engages in Automatic Renewal Contracts?

In addition to California, the federal government may impose regulatory requirements regarding automatic renewal contracts of which your businesses should be aware. Under Restore Online Shoppers’ Confidence Act (ROSCA), the Federal Trade Commission is tasked with investigating businesses who fail to:

  1. Clearly and conspicuously disclose material terms of contract such as whether it is reoccurring;
  2. Obtain the consumer’s express and informed consent before making a charge; and
  3. Provide a simple mechanism to stop reoccurring charges.[9]

A recent case involving a California based company, Age of Learning, Inc. d/b/a ABCmouse, resulted in a $10,000,000 settlement after FTC alleged that ABCmouse failed to provide a sufficiently simple mechanism to stop the reoccurring charges for educational content.[10]

As transparency remains a cornerstone of compliance initiatives, whether under California’s ARL or ROSCA, it is critical for businesses to have great foundation for their business before scaling to avoid potential settlements or fines.  Our experienced litigation and compliance attorneys at Octillo can help your business navigate the complexities of drafting appropriate notices, or handling litigation resulting from California’s or any other states’ ARL.

*Attorney Advertising: Prior results do not guarantee a similar outcome. 

Subscribe to our newsletter. 

[1] See e.g. Section 5 of the FTC Act, 15 U.S.C. § 45(a) (regulating unfair or deceptive practices); Restore Online Shopper’s Confidence Act (ROSCA), 15 U.S.C. § 8403 et seq (prohibiting charging customers unless there has been clear disclosure of, and express consent to, the material terms).

[2] Cal Bus & Prof Code § 17600 et seq.

[3] Cal Bus & Prof Code § 17601(a).

[4] Cal Bus & Prof Code § 17601(e).

[5] Cal Bus & Prof Code § 17602.

[6] Cal Bus & Prof Code § 17601(b)(1-5).

[7] Mayron v. Google LLC, 54 Cal. App. 5th 566, 570 (2020); Cal Bus & Prof Code § 17604(a)

[8] DA Announces Consumer Protection Settlement In Auto-Renewal Case (Mar. 7, 2021 at 5:48pm), https://patch.com/california/santacruz/da-announces-consumer-protection-settlement-auto-renewal-case

[9] 15 U.S.C. §§ 8401-8405 et seq.

[10] See FTC, 10 million ABCmouse settlement: Avoiding auto-renewal traps (Sep. 2, 2020 at 12:10pm), https://www.ftc.gov/news-events/blogs/business-blog/2020/09/10-million-abcmouse-settlement-avoiding-auto-renewal-traps

UtahUtah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

Utah Adopts Cybersecurity Affirmative Defense Act Protecting Business from Certain Claims Arising Out of Data Breaches

On March 11, 2021, Utah Governor Spencer Cox signed the Cybersecurity Affirmative Defense Act (the “Act”) into law.  The Act creates affirmative defenses to certain causes of action arising out of a breach of system security.  See generallyUtah Code Ann. §78B-4-701 et seq. 

The Act defines a breach of system security as including “an unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information.”  Utah Code Ann. § 13-44-102(1)(a).  Similarly, the Act defines personal information as including a person’s first name and last name when combined with a social security number, financial account number in combination with a required security code, and a driver’s license.  Utah Code Ann. § 13-44-102(1)(a).

The Act provides that business that “creates, maintains, and reasonably complies with a written cybersecurity program” and that is “in place at the time of breach of system security” shall be afforded an affirmative defense to tort claims arising out of the business alleged “fail[ure] to implement reasonable information security controls that resulted in the breach of system security.”  Utah Code Ann. § 78B-4-702.

Whereas the Act requires a written cybersecurity program, it does not set forth a new technical cybersecurity standard.  Instead, the Act requires that a written cybersecurity program “shall provide administrative, technical, and physical safeguards to protect personal information” and that a cybersecurity program should “reasonably conforms to the current version of” NIST 800-171, NIST 800-53, ISO 2700, and the HIPAA Security rule.  Utah Code Ann. § 78B-4-702(4); Utah Code Ann. § 78B-4-703(1)(b).  Altogether this requirement for a written cybersecurity program is not entirely dissimilar to a business cybersecurity program requirements under New York’s “Stop Hacks and Improve Electronic Data Security Act” (SHIELD Act), which we further outlined here.

There are a couple other notable provisions to the Act.  First, the Act does not create a private right of action if a business failed to comply with the Act.  Utah Code Ann. § 78B-4-704.  Second, the Act provides that if an action is brought in another state, but is governed by Utah law, then the Act should apply.  Utah Code Ann. § 78B-4-705. As such, if a Utah business is sued in court for an alleged failure to implement information security standards and a resulting breach, it may rely on the Cybersecurity Affirmative Defense Act to the extent that it had and followed its written cybersecurity program.  Moreover, Utah isn’t alone in providing for an affirmative defense as Ohio adopted similar legislation in 2018.  See Ohio Rev. Code Ann. § 1354 et seq.

Octillo closely monitors for any and all changes in the law related to breaches of system security, data breaches, or other cyber security incidents.  Octillo’s team of attorneys and technologist are especially entuned with both responding to a data breach and understand what a robust written cyber security program would entail.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Myriah V. Jaworski, Esq., CIPP/US, CIPP/E Published in the ‘Journal on Emerging Issues in Litigation’

Myriah V. Jaworski, Esq., CIPP/US, CIPP/E Published in the ‘Journal on Emerging Issues in Litigation’

‘A Compelling Outcome: Using Arbitration Agreements to Limit Liability in Data Privacy Class Actions’

Abstract: Data privacy class actions are proliferating. Defendant companies may find an effective defense strategy is moving to compel individual arbitration. Not all contracts have the appropriate language, however, and, even if they do, they may not succeed. This article, which will appear in the forthcoming issue of the Journal on Emerging Issues in Litigation, discusses U.S. privacy litigation and case law on compelling arbitration of class claims in the privacy law context, with recommendations for businesses to improve their chances of securing court orders that enforce arbitration language in their agreements

AIAccountability and the Use of Artificial Intelligence

Accountability and the Use of Artificial Intelligence

As artificial intelligence (“AI”) and automated decision-making systems make their way into every corner of society – from businesses and schools to government agencies – concerns about using the technology responsibly and accountability are on the rise. 

The United States has always been on the forefront of technological innovations and our government policies have helped us remain there.  To that end, on February 11, 2019, President Trump issued an Executive Order on Maintaining American Leadership in Artificial Intelligence (No. 13,859).  See Exec. Order No. 13,859, 3 C.F.R. 3967.  As part of this Executive Order, the “American AI Initiative” was launched with five guiding principles:

  1. Driving technological breakthroughs; 
  2. Driving the development of appropriate technical standards; 
  3. Training workers with the skills to develop and apply AI technologies; 
  4. Protecting American values, including civil liberties and privacy, and fostering public trust and confidence in AI technologies; and
  5.  Protecting U.S. technological advantages in AI, while promoting an international environment that supports innovation. Id. at § 1. 

Finally, the Executive Order tasked the National Institute of Standards and Technology (“NIST”) of the U.S. Department of Commerce with creating a plan for the development of technical standards to support reliable, robust, and trustworthy AI systems.  Id. at § 6(d). To that end, the NIST released its Plan for Federal Engagement in Developing Technical Standards in August 2019.  See Nat’l Inst. of Standards & Tech., U.S. Leadership in AI: A Plan for Federal Engagement in Developing Technical Standards and Related Tools (2019). 

While excitement over the use of AI was brewing in the executive branch, the legislative branch was concerned with its accountability as on April 10, 2019, the Algorithmic Accountability Act (“AAA”) was introduced into Congress.  See Algorithmic Accountability Act of 2019, S. 1108, H.R. 2231, 116th Cong. (2019).  The AAA covered business that: 

  1. Made more than $50,000,000 per year;
  2. Held data for greater than 1,000,000 customers; or
  3. Acted as a data broker to buy and sell personal information.  Id. at § 2(5). 

The AAA would have required business to conduct “impact assessments” on their “high-risk” automated decision systems in order to evaluate the impacts of the system’s design process and training data on “accuracy, fairness, bias, discrimination, privacy, and security”.  Id. at §§ 2(2) and 3(b).  These impact assessments would have required to be performed “in consultation with external third parties, including independent auditors and independent technology experts”.  Id. at § 3(b)(1)(C).  Following an impact assessment the AAA would have required that business reasonably address the result of the impact assessment in a timely manner.  Id. at § 3(b)(1)(D).  

It wasn’t just the federal government who is concerned about the use of AI in business as on May 20, 2019, the New Jersey Algorithmic Accountability Act (“NJ AAA”) was introduced into the New Jersey General Assembly.  The NJ AAA was very similar to the AAA in that it would have required businesses in the state to conduct impact assessments on “high risk” automated decisions. See New Jersey Algorithmic Accountability Act, A.B. 5430, 218th Leg., 2019 Reg. Sess. (N.J. 2019).  These “Automated decision system impact assessments” would have required an evaluation of the systems development “including the design and training data of the  automated  decision  system,  for  impacts  on accuracy,  fairness,  bias,  discrimination,  privacy,  and  security” as well as a cost-benefit analysis of the AI in light of its purpose.  Id. at § 2.  The NJ AAA would have also required businesses work with independent third parties, record any bias or threat to the security of consumers’ personally identifiable information discovered through the impact assessments, and provide any other information that is required by the New Jersey Director of the Division of Consumer Affairs in the New Jersey Department of Law and Public Safety.  Id

While the aforementioned legislation has appeared to have stalled, we nevertheless anticipate that both federal and state legislators will once again take up the task of both encouraging and regulating the use of AI in business as the COVID-19 pandemic subsides.  Our team at Octillo contains attorneys who are focused on technology, data security, and privacy and have the experience to advise your business on the best practices for the adoption of AI and automated decision-making systems. 

*Attorney Advertising. Prior results do not guarantee future outcomes. 

Subscribe to our Newsletter

1 2 3