Volume 4, Issue 1, 2023

Welcome to the first issue of Decoded for 2023. As we all know, the world of technology moves fast. Changes are constant and the impacts of those changes affect every aspect of our personal and business lives. We are committed to bringing you top news stories, trends and an understanding of those changes with each issue of Decoded.

We hope you enjoy this issue and, as always, thank you for reading.

Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group

and

Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

Big Boosts to Cybersecurity and Tech Funding in $1.7T Omnibus Bill Signed by Biden

“The bipartisan fiscal 2023 omnibus spending agreement includes $2.9 billion for the Cybersecurity and Infrastructure Security Agency, a $313 million increase over its current budget as well as $1.6 billion for the National Institute of Standards and Technology, an increase of $397 million for the agency.”

Why this is important: With cybersecurity risks increasing and evolving moving into 2023, the federal government is taking steps to help secure our cyber infrastructure. The recent passing of the 2023 omnibus spending agreement included additional funds for a variety of federal agencies in order to strengthen our cybersecurity apparatus. The Cybersecurity and Infrastructure Agency (“CISA”) received $1.3 billion for its cybersecurity programs. This is a $230 million increase over last year. While this increase in funding is intended to help CISA improve the country’s cybersecurity, it does come with some significant strings. CISA is currently a year late in providing Congress with its force structure assessment, which includes its organizational planning, staffing, and budgeting. In order to force CISA to provide the necessary documentation for Congressional oversight, the omnibus funding included a caveat that CISA will be fined $50,000 for every day it is late in providing Congress with its quarterly briefing. Congress is getting serious about holding CISA accountable, and will not allow it to continue to skirt Congressional oversight. 

The omnibus also included additional cybersecurity funding for other federal agencies. $200 million has been allocated for the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (“CESER”) in order to protect our vulnerable power grid. The Treasury Department also received $100 million in funding for the Treasury Department’s Cybersecurity Enhancement Account, which is a $20 million increase over last year. Congress also allocated $50 million funding to protect against cyberattacks by foreign adversaries like Russia, China, Iran, and North Korea. This included tasking the Federal Trade Commission to collect and report on international cyberattacks committed by foreign actors. While this increase in funding indicates that Congress is taking cybersecurity more seriously, the U.S. still lacks a comprehensive cybersecurity law that streamlines cybersecurity compliance throughout the entire country. As it stands now, companies operating nationally have to comply with a myriad of cybersecurity and privacy laws, which leads to confusion and increased costs. If Congress wants to positively impact cybersecurity in the U.S., it needs to pass comprehensive cybersecurity and privacy legislation. --- Alexander L. Turner

FBI Blames North Korea for $100 Million Crypto Heist

“The bureau said ‘a portion’ of the $60 million was frozen, but did not specify how much.”

Why this is important: This article provides an update to earlier articles about a hack committed by threat actors linked to the North Korean government in which they were able to steal approximately $100 million in cryptocurrency from Harmony, a California-based cryptocurrency firm. U.S. government officials are concerned that the North Korean government will use the proceeds of this and similar compromises to fund its illicit nuclear and ballistic weapons program. The article explains, without revealing details, that the threat actors attempted to launder over $60 million of the money stolen in the compromise, and the FBI was able to freeze an undisclosed portion of it. In addition to hacks like this one, North Koreans have posed as people from other countries to gain employment at cryptocurrency firms. Once employed, they have used their positions to send funds back to North Korea. This article shows the need to be vigilant against cyberattacks perpetrated through hacks and compromises, but also highlights the need to be aware of compromises that can take place outside of the cyber realm. --- Nicholas P. Mooney II

U.S. Supreme Court Seeks Biden Administration View on Florida, Texas Social Media Laws

“The justices are considering taking up two cases involving challenges to the state laws - both currently blocked - brought by technology industry groups NetChoice and the Computer & Communications Industry Association that count Twitter , Meta Platforms Inc's (META.O) Facebook and Alphabet Inc's YouTube (GOOGL.O) as members.”

Why this is important: Both Texas and Florida have passed statutes that undercut efforts by social media companies to block users based on the companies’ determination of what material is objectionable. Both laws restrict these blocking attempts, but apparently current federal law does not. Current federal court cases block the application of these state laws, and the U.S. Supreme Court is considering this matter. It has asked the executive branch to weigh in on this issue. --- Hugh B. Wellons

Contech Trends to Watch in the New Year

“As builders adapt to economic, supply chain and labor challenges, they’re turning to technology to boost performance.”

Why this is important: All of the turmoil of 2022 (the war in Ukraine, supply chain issues, inflation, and labor shortages) have left contractors working hard to keep their businesses afloat. This article discusses some of the ways that construction technology, or contech, is helping. New software applications that manage employees and schedule workflows are becoming more prevalent. Like virtually every other industry, the construction industry also needs to be mindful of cybersecurity issues and take advantage of available software applications and best practices. Financial technology, or fintech, applications may change the way contractors are paid and address the always-present issue of late payments (which cost contractors $208 billion in 2022). At bottom, contech solutions are becoming a welcome way for contractors to address some of the problems inherent in the industry and some that came about as a result of the turmoil of 2022. Contractors should consider how these and other technology solutions can aid them in keeping their businesses thriving. --- Nicholas P. Mooney II

Maryland and Mississippi Lawmakers Consider Biometric Data Protection Bills

“Consent must be collected, whether in written or digital form, and restrictions would be applied to disclosing or selling biometric data.”

Why this is important: Your biometric data tells the tale of who you are in intricate detail. Often, your biometric data is used to verify your identity at work or school. Currently, Illinois has the most comprehensive biometric privacy law in the country with the Illinois Biometric Information Privacy Act. Maryland and Mississippi look to join Illinois in protecting their citizens’ biometric data. Maryland has already had the first reading of HB 33, the Commercial Law-Consumer Protection-Biometric Data Privacy bill. HB 33 would require private companies that hold the biometric data of Maryland citizens to “publish policies, establish a retention schedule and data destruction guidelines within certain timeframes.” HB 33 will also require companies to obtain consent from a consumer before collecting the consumer’s biometric data, and it establishes a set of security requirements. Importantly, HB 33 establishes a private right of action, along with being enforceable pursuant to the Maryland Consumer Protection Act.

Mississippi’s proposed Biometric Identifiers Privacy Act is similar to Maryland’s HB 33 insofar as it requires companies to “publish policies for the biometric data they hold, including a retention schedule and data destruction policy[,]” and requires the consumer to consent to the collection of the consumer’s biometric data. Mississippi’s proposed legislation allows employers to collect employee’s biometric data, but limits the use of the data, including preventing the use of employee biometric data to track the employee. While the Mississippi Biometric Identifiers Privacy Act allows for a private right of action just like Maryland’s proposed legislation, Mississippi’s proposed legislation also allows consumers to “demand information about what biometrics of theirs are held, the source of the data, what it has been used for, whether it was disclosed to any third parties, and if so who those third parties are.” If your company needs assistance complying with the data privacy and biometric privacy laws in the states you operate in, please contact Spilman’s cybersecurity and data privacy practice group. --- Alexander L. Turner

Scammers are Now Impersonating the Agency Tasked with Going After Scammers

“The Federal Trade Commission reports it is now being used in ‘imposter scams,’ where crooks impersonate government, law enforcement or legal enforcement agencies in an attempt to get people to send money to resolve an ‘issue.’”

Why this is important: A long-time scam of home invasion crews has been to cover front door cameras and bang loudly, claiming they are the police. Most homeowners let them in! Like a low budget science-fiction movie, the scammers have stolen that tactic and now impersonate the FTC, which is supposed to police the scammers. This article provides a guide to avoiding this new tactic. It looks a lot like the old defenses: i) never give personal info to someone you did not initiate contact with; ii) confirm any banking or financial information with your actual bank before reacting to an unsolicited email/text/call; iii) don’t believe someone who contacts you and tells you that they are trying to protect you from a scam; and, most important, iv) if it sounds too good to be true, it is. Still, this article is a good reminder of what we all know - that these scams will continue to develop. Creativity favors the dishonest. --- Hugh B. Wellons

Virginia, Amazon Announce $35 Billion Data Center Plan

“Still, data centers have become a politically volatile topic, particularly in northern Virginia, where the structures are increasingly common and where neighbors are voicing noise and environmental concerns.”

Why this is important: On January 20, 2023, Governor Glenn Youngkin announced that Amazon Web Services (“AWS”) plans to invest $35 billion by 2040 to establish multiple data center campuses across Virginia, pending legislative approval. Numerous localities in the Commonwealth are under consideration, and although none have been selected, residents in Northern Virginia have voiced concerns. Specifically, residents are concerned over the noise and environmental effects of data centers, which mirror concerns raised in lawsuits filed by Gainesville residents in Prince William County after the Board of County Supervisors voted to approve an amendment to the county’s Comprehensive Plan to create a data center complex. Northern Virginia lawmakers, Delegate Danica Roem and Senator Chap Peterson, have introduced bills this session aimed at stopping, or at least slowing down data center projects. Del. Roem introduced house bills specific to the Prince William County data center project, particularly HB 1974, requiring electrical transmission lines be built as a public interest, and HB 1986, requiring stormwater management techniques for the data center. In Joint Resolution 240, Sen. Peterson is asking the Commonwealth’s Department of Energy to study the impacts of data center development on Virginia’s environment, economy, energy resources, and ability to meet carbon-reduction goals. Despite these concerns, and pending legislative approval, AWS’s investment has the opportunity to create 1,000 new jobs in Virginia, and extend Virginia’s exemption on sales and use tax for data center equipment until 2040. At a time when big-tech layoffs are a public concern, AWS’s deal with the Commonwealth provides hope for the industry, workers, and the economy. --- Victoria L. Creta 

The US Just Greenlit High-Tech Alternatives to Animal Testing

“A new law allows drugmakers to use ‘organs-on-chips’ instead.”

Why this is important: The FDA Modernization Act 2.0, just signed by President Biden, eliminates the requirement of animal testing before drugs are tested in human trials. This does not eliminate animal testing, it just allows for alternatives. Since the animal testing path is the proven standard, and the protocol is well established for FDA review of animal testing to plan human trials, it may take a while to develop safe, non-animal tests that will qualify for human trials. New methods include miniature tissue models that use human cells to mimic reactions and microfluidic chips. Some researchers believe that these other methods actually work better for certain diseases, such as neurological diseases. --- Hugh B. Wellons

States are Passing More Tech Laws When One Party Holds the Keys

“The findings shed light on how state legislators have been able to outpace federal policymakers in setting rules of the road for the internet, particularly around data privacy, children’s safety and social media regulation.”

Why this is important: The U.S. does not have a federal data privacy law. In the absence of an all-encompassing data privacy law, the U.S. has a myriad of individual state privacy laws. The significant state data privacy laws that are often used as models are the California Privacy Rights Act (which amends that California Consumer Privacy Act), the Virginia Consumer Data Privacy Act, the Colorado Privacy Act, and the Illinois Biometric Information Privacy Act. The question is why the federal government has been unable to pass a federal data privacy act while some states have been able to pass strong data privacy laws. A report by the University of North Carolina’s Center on Technology Policy recently addressed that exact question. The UNC Center on Technology Policy found that of the 28 states that have passed laws regulating data privacy and social media platforms, 23 of those states held both the governors’ offices and legislators. Of those 23 states, 13 of the new laws were passed in states controlled by Democrats, and the remaining 10 were passed in states controlled by the Republicans. The reason why states have been more successful in passing data privacy laws is because they have a faster legislative process and are more willing to experiment than the federal government. However, the same party rule advantage for data privacy legislation did not translate to the federal government over the last two years. Last year, a Democratic Congress failed to pass the American Data Privacy and Protection Act. With the House now held by the Republicans, the prospect of the passage of a federal data privacy law dims even more. Instead, with 38 states now having one party control, it is anticipated that state-level policymaking on tech issues will accelerate. Republican states will likely follow the lead of Texas and Florida in regulating alleged “bias” social media platforms. Democratic states may model “safety by design” laws after laws passed in California. The result will be companies defaulting to the most stringent state laws in order to operate nationally. --- Alexander L. Turner

Promising Gene Therapy Delivers Treatment Directly to Brain 

“Meanwhile, about 30 U.S. studies testing gene therapy to the brain for various disorders are ongoing, according to the National Institutes of Health.”

Why this is important: Many research labs in the U.S. are testing gene therapy applied directly to the brain to treat diseases of the brain. Such therapies are approved already in the EU. This article explains why this may work and provides examples. Some brain diseases are affected by more than one gene, but single-gene conditions, such as Rylae-Ann’s disease, can be treated effectively by single-gene therapy. --- Hugh B. Wellons

Cybersecurity Focus: How to Make Remote Work Safer

“As a result, malicious actors have focused on finding loopholes in the popular tools used for teleworking, such as conferencing software and Virtual Private Network solutions.”

Why this is important: This article generally discusses the increase in remote work as a result of the COVID-19 pandemic and how that trend has brought with it an increase in threat actors targeting the software that makes remote work possible. The article focuses on two areas: virtual private networks and videoconference applications. Regarding virtual private networks, or VPNs, the article makes the point that the security of these applications needs an overhaul. Because VPNs are becoming a staple of remote work, threat actors are ramping up their efforts to learn and exploit any vulnerabilities in those applications. By requiring employees to access their company’s network through a VPN, the company has added an extra layer of security, but it also has created a single point of failure. A threat actor who is able to exploit the VPN can access a large amount of the target’s data and possibly thwart legitimate access to that data. The article recommends some measures to strengthen VPN security, including using multi-factor authentication and keeping VPN applications and network infrastructure up to date with the latest patches and security. Regarding videoconference applications, the article warns that threat actors have been stepping up efforts here to find new ways of attack. Because of the nature of these applications, an attack may allow a threat actor to eavesdrop on a large scale. In addition to outside threat actors, companies need to be mindful of former or disgruntled employees who may still have the ability to access a company’s videoconference applications. At bottom, the rise in remote work has brought new threats that companies need to address. Remote work is here to stay, and remote work security needs to be top of mind for every company. --- Nicholas P. Mooney II

What Diabetes is Revealing About the Benefits and Risks of Personal Medicine Connected to the Internet

“The internet of things for personal health comes with many benefits and the world of remote patient monitoring is growing, but also comes with greater scrutiny from the FDA about cybersecurity risks.”

Why this is important: Developments in diabetes are amazing. Glucose monitors, insulin pumps, longer acting insulin, and other recent developments allow easier and better management of this disease. Medical devices on the patient’s body “talk” to each other or communicate through the patient’s mobile phone. In addition, the phone often automatically reports findings to the doctor’s office for analysis. Opportunities for better health abound, but so do opportunities for cybersecurity breaches and crimes. --- Hugh B. Wellons