Photo Credit: Meinzahn
Three more casinos are set to close in Atlantic City. Unions, politicians and lobbyists are pointing fingers. One thing is for certain, newly introduced online gaming legislation is not to blame. If experts had been paying attention to the trends, they would have introduced regulated online gaming into New Jersey years ago…
Want to know more? Read the full post on Ifrah Law’s new iGaming Blog
Severely ill patients in New York State are celebrating Gov. Andrew Cuomo’s signature of a bill that legalized medical marijuana in New York for many severely ill patients. As noted by Assembly Speaker Silver in his remarks, “With this agreement, we are assuring access to that much-needed relief while ensuring the tightest possible regulation and state supervision.” Indeed, the New York bill does contain many restrictions on the use of medical marijuana, which were necessary in order to gain the agreement of Governor Cuomo for the passage of the bill.
For instance, the bill’s coverage is limited to “certified patients” that submit an application and receive their “registry identification card.” The requirements are extensive and include: patients are residents of New York, are receiving care and treatment in New York, and have a “serious condition”, which is limited to “severe debilitating or life-threatening conditions” like cancer, ALS, Parkinson’s disease, HIV/AIDS, Lou Gehrig’s disease, Huntington’s disease, epilepsy, neuropathic diseases, and multiple sclerosis or as determined by the commissioner of public health. A certified patient is also required to “possess his or her registry identification card at all times when in immediate possession of marijuana.”
Additionally, the final bill included a compromise provision, again on Gov. Cuomo’s insistence, that prohibits the possession of medical marijuana “if it is smoked, consumed, vaporized, or grown in a public place.” Instead, patients will take medical marijuana through an oil-based vaporizer, edible, or otherwise ingest the drug like any other pill.
Further, medical marijuana can only be administered by “practitioners”- i.e. doctors who are registered with the NYS Health Department to issue a patient certification, and, “no person may be a designated caregiver for more than five certified patients at one time.”
There are also restrictions on the manufacturers. Medical marijuana can only be sold by a “registered organization” that manufactures and dispenses in “an indoor, enclosed, secure facility located in New York state.” In addition to future regulations to be issued by the commissioner, a registered organization must possess “good moral character”, “sufficient land, buildings, … and equipment to properly carry on the activity described in the application”, or, post a $2M bond. Interestingly, the per dose price is also set by the commissioner so that this enterprise may not become some profit-making engine.
As a necessary assurance, the bill provides that certified patients, practitioners, and registered organizations are not subject to civil, criminal, or disciplinary proceedings because of their practices in accordance with the bill.
Finally, there is a seven year sunset provision in the bill, which essentially means the bill would need to be reauthorized, meaning that if it is not, medical marijuana will no longer be legal. The bill also contains a provision that authorizes the governor to terminate the medical marijuana program at any time if it is deemed to pose a public safety issue.
Despite these restrictions, Governor Cuomo stated: “Medical marijuana has the capacity to do a lot of good for a lot of people.” We wholeheartedly concur and feel there is no more appropriate ending than with the words of Assembly Speaker Silver: “This is a great day for New Yorkers.”
 Note: The New York bill refers to “marihuana”, but we have used the commonly known “marijuana” throughout for ease of reading.
Recently the Massachusetts Supreme Judicial Court ruled that under certain circumstances, a court may compel a criminal defendant to provide the password to encrypted digital evidence without violating the defendant’s constitutional rights. This is an increasingly prevalent issue that has divided courts across the country and may be presented to the United States Supreme Court for review soon.
Leon Gelfgatt was indicted in 2010 for allegedly operating a mortgage fraud scheme that fraudulently collected more than $13 million. During the investigation, Massachusetts state troopers seized four computers, all of which were protected by encryption software that Gelfgatt refused to remove. Lawyers for the Commonwealth of Massachusetts filed a motion in Superior Court asking the court to compel Gelfgatt to enter the password for his encryption software so that law enforcement could review the contents. The Superior Court denied the motion, stating that the Commonwealth was asking for the defendant’s assistance in accessing potentially incriminating evidence.
In a 5-2 ruling, the Massachusetts Supreme Court reversed the lower court ruling and held that police could compel Gelfgatt to decrypt his files, because he told investigators that the computer belonged to him and he had the encryption key. The majority opinion reasoned that Gelfgatt’s disclosure to investigators that he had the password to access the encrypted materials was sufficient to satisfy the “foregone conclusion” exception to the Fifth Amendment protection against self-incrimination. The court did not specify if Gelfgatt would have been compelled to decrypt the computers if he did not tell law enforcement that he owned the computers and had the ability to decrypt them, which may limit the reach of this opinion.
In a strong dissenting opinion, two justices found compelling a criminal defendant to decrypt the files is the functional equivalent to forced self-incrimination.
After the decision, one of Gelfgatt’s lawyers indicated that they planned to appeal the decision to the U.S. Supreme Court, which has not yet considered the issue that has divided jurisdictions across the country. In 2012, the U.S. Court of Appeals for the Eleventh Circuit held that a man under criminal investigation could not be compelled to decrypt his computer hard drives for the government without a showing by the government of specific knowledge about the contents of the hard drive, an opinion referred to by the dissenting opinion in this case.
In a time when law enforcement is increasingly relying on digital evidence in building cases against criminal defendants, issues regarding encryption and password protected materials will continue to arise. We hope the Supreme Court will grant an appeal and clarify that law enforcement cannot compel criminal defendants to decrypt files without violating the Fifth Amendment right against self-incrimination.
U.S. Court of Appeals Decision: Cell Location Data is Protected Under Individual’s Expectation of Privacy
The U.S. Court of Appeals for the Eleventh Circuit recently considered whether cell site location data is protected by the Fourth Amendment. On June 11, 2014, the court issued its decision in favor of privacy rights: the court held that cell site location information is within the cell phone subscriber’s reasonable expectation of privacy. If officers want the data, they must obtain the subscriber’s consent or a judicial warrant supported by probable cause.
The court’s decision in United States v. Davis pertained to Quartavius Davis, a federal defendant who was convicted in Florida on multiple counts of robbery, conspiracy, and possession of a firearm. For his crimes, Davis was sentenced to roughly 162 years in prison.
On appeal, Davis argued that his convictions and sentence should be reversed. Among other things, Davis argued that the trial court erred in denying his motion to suppress cell site location data, which the prosecution used to place Davis near the various crime scenes. Investigators were able to obtain the data without a probable-cause warrant. They did so under a provision of the Stored Communications Act, which states that a court may order production of non-content cell phone records based on reasonable grounds to believe the records are material to an ongoing criminal investigation. Davis objected that the evidence in his case should be suppressed because it was the product of a warrantless search conducted in violation of his constitutional rights.
The Eleventh Circuit agreed with Davis, holding that cell site location information is within the subscriber’s reasonable expectation of privacy. Speaking for the three-judge panel, Judge Sentelle discussed two distinct views of the interests subject to Fourth Amendment protection: property interests and privacy interests. The court determined that the privacy theory applied to Davis’ case. Because Davis had a reasonable expectation of privacy in his cell site location information, the government’s warrantless collection of that data violated Davis’ Fourth Amendment rights.
The Davis opinion is arguably the most protective of individual rights as compared to similar appellate decisions. In September 2010, the Third Circuit held that officers can obtain cell site data under the Stored Communications Act as long as they meet the reasonable-grounds standard. But the court also added that, in exceptional cases, a judge may impose a warrant requirement for data that can be used to track an individual’s movements in a private location, such as the home.
In July 2013, the Fifth Circuit issued a less-protective decision. In that case, the court held that individuals do not have a reasonable expectation of privacy in non-content cell site data. Therefore, the court must order the production of such information when the government meets its burden of proof under the Stored Communications Act.
The Supreme Court has yet to decide the issue. But past Fourth Amendment cases suggest that no fewer than five sitting Justices favor the privacy theory that Judge Sentelle relied on. They are likely to agree that cell phone subscribers have a reasonable expectation of privacy in their cell location data.
Court: Police Need Warrant to Search Phone. But Guess What? They Get to Keep Your Phone While They Get One.
Will cops still get access to cell phone data post arrest? You bet. Today’s Supreme Court decision just means they need to get permission from a judge before they start searching who you have been texting. And odds are very good, that permission will be granted.
In a unanimous decision authored by Chief Justice Roberts, the United States Supreme Court held that law enforcement officers may not conduct warrantlesssearches of cell phones that are seized incident to an arrest. But just because police cannot immediately search mobile phones, doesn’t mean they cannot immediately seize them in connection with an arrest. Indeed, the benefit of today’s decision by our country’s highest court may be limited to the two defendants who brought the case (and of course any similarly situated defendants).
The named defendant in Riley v California is David Riley. After Riley was stopped for a traffic violation, he was arrested and the police officer seized his cell phone incident to that arrest. When the officer accessed the data on the phone (without a search warrant), he noticed the repeated use of an identifier associated with the Bloods street gang. Later, a detective reviewed the cell phone records and noticed gang-related content, including a photo of Riley standing in front of a car that was used in a shooting weeks earlier. Riley was convicted of multiple crimes related to that shooting and received a sentence of 15 years to life.
The second case resolved today involved Brima Wurie, who had been arrested in connection with a drug sale. After Wurie’s arrest, police took him to the police station where officers confiscated his flip phone. A few minutes later, Wurie’s phone showed an incoming call from “my house.” The officers opened the phone, accessed the call log to determine the number of the incoming call, and then traced the number back to Wurie’s apartment, which they secured. After obtaining a search warrant, the officers searched the apartment and seized drugs, a gun, ammunition, and cash. At trial, Wurie was convicted on three drug-related counts and sentenced to more than twenty years in prison.
The key here to note is that in neither case did law enforcement obtain prior permission to search the cell phones belonging to Riley and Wurie. The narrow question presented to the Court therefore was whether it is permissible for law enforcement to search cell phone data incident to an arrest where no court has authorized such a search. In holding that such a search violates the Fourth Amendment of the US Constitution, the Court considered but rejected as not relevant prior cases where so-called “warrantless” searches passed constitutional muster. For example,
· In Chimel v. California, the Court recognized that the Fourth Amendment permits warrantless searches of the arrestee and areas within his immediate control if necessary to protect officer safety or to preserve evidence.
· In Arizona v. Gant, the Court held that officers may search a car incident to arrest if the arrestee is unsecured and within reaching distance of the passenger compartment or if the officer reasonably believes evidence of the crime of arrest may be found.
Because there were no such exigent circumstances present in Riley or Wurie’s arrest, the Court concluded that the need for cell phone data searches does not outweigh the corresponding intrusion on individual privacy, and thus a warrant was required. This of course is the right result. Digital cell phone data does not, by itself, of course, threaten officer safety. And a warrantless search of cell phone data is not necessary to preserve evidence. The Court recognized an individual’s privacy interest in digital cell phone data is considerable: cell phones have immense storage capacity, collect many types of records in one place, and often contain years’ worth of data.
In this regard, today’s decision is a victory for privacy rights. Law enforcement officers will not be permitted to conduct warrantless searches of cell phones for digital evidence. But if you are arrested, don’t assume law enforcement will let you keep your phone. Today’s decision may not allow for a warrantless search of your phone, but there is nothing prohibiting law enforcement from securing a phone post-arrest and seeking permission from a court to search it. And the chances that a court will grant such a request are close to 100%.
Today, the United States Supreme Court denied New Jersey’s petition for a writ of certiorari to hear an appeal from lower court decisions that invalidated its sports wagering law. This ends a three year fight to bring sports betting to New Jersey’s casinos and racetracks, but NJ State Senator Raymond Lesniak, who has spearheaded efforts to bring sports betting to the state has vowed to continue on.
Last September, the U.S. Court of Appeals for the Third Circuit, in a 2-1 vote with a strong dissenting opinion, affirmed the decision of the district court striking down the state’s sports wagering law as conflicting with the federal Professional and Amateur Sports Protection Act of 1992 (“PASPA”). In February of this year, the state of New Jersey filed a petition for a writ of certiorari asking the Supreme Court to hear the case, which today the Court denied.
The case has far reaching implications, well beyond the future of legalized state sponsored sports betting in the United States, but the Court decided the time was not right to hear the case. In the Supreme Court, the states of West Virginia, Wisconsin, and Wyoming filed an amici curiae brief in support of New Jersey’s petition because of the belief that the Third Circuit decision “raises serious federalism concerns” by forcing states to implement federal policy. The states of Georgia, Kansas, Virginia, and West Virginia filed a similar amici brief in the Third Circuit.
This case raised numerous interesting constitutional issues regarding federalism and the federal government’s ability to dictate state policy, something that the Supreme Court has considered recently in other cases. Last June, in a Voting Rights Act (“VRA”) case, the Supreme Court struck down a provision of the VRA that provided a formula for determining which states are subject to the provisions of the VRA, as unconstitutional. The dissenting opinion in that case specifically recognized PASPA as a statute that treats states disparately and that its validity may now be in question under the equal sovereignty principles that the Court outlined in its opinion.
This is a temporary setback in the fight to bring legalized state sponsored sports betting to states other than Nevada, but the fight will continue. Senator Ray Lesniak has said that he will introduce legislation quickly with the goal of offering sports betting in the state by the start of the NFL season. Although unsuccessful thus far, Congress may also step in to author legislation to amend or eliminate PASPA.
Last month police raided the home of an Illinois man who created a parody Twitter account of his city’s mayor. No charges were brought against the man because the prosecutor determined that no crime had been committed, however the man’s roommate has been indicted for possession of marijuana that was found during the overzealous raid of their residence.
Jon Daniel created the Twitter account @peoriamayor that mocked Peoria, Illinois, Mayor Jim Ardis. The Twitter account originally included a photo of Ardis, his official email address, and a brief biography. Later, the account explicitly stated that it was a parody account.
The Peoria Police Department submitted search warrants to Twitter, Google and Comcast in order to determine who was behind the Twitter account. Using the information obtained from those warrants to investigate a potential misdemeanor false personation offense, the police obtained a warrant to search Daniel’s home. During the raid police seized several computers, phones, and a bag containing a “green leafy substance.”
The Peoria County State’s Attorney’s office later concluded that they could not bring charges against Daniel for false personation because the offense could not be committed over the Internet. The false personation statute at issue in this case is a new Illinois law that went into effect earlier this year. The law makes it a misdemeanor offense punishable by up to one year in prison when a person, “knowingly and falsely represents himself or herself to be . . . a public officer or a public employee or an official or employee of the federal government.” The State’s Attorney’s Office has defended the decision of the police to obtain a search warrant stating that the police acted in good faith believing that they had probable cause to believe that a crime had been committed.
The American Civil Liberties Union of Illinois has said that it anticipates bringing litigation against the city of Peoria over the police raid on Daniel’s house.
Daniel’s roommate, Jacob Elliot, was charged with felony marijuana possession as a result of marijuana that police found during the raid of their home. Elliot spent two days in jail before he was able to make bail, and was also suspended from his job. Despite the police being misguided in their belief that Daniel had committed a crime which served as the basis of the warrant that led to the discovery of the marijuana, the Peoria County State’s Attorney’s Office is moving forward with charges against Elliot. Elliot was indicted last week on two charges of marijuana possession, including one felony charge.
Public officials have long been the target of parody, and social media has made it even more prevalent. If anything, this is an issue that could have been resolved civilly, though given the high standard for a public official to bring forth a defamation claim that avenue would most likely have been unsuccessful. More importantly, valuable police resources were wasted at the behest of a public official who was the subject of parody and this could have a potentially chilling effect on free speech. Statutes like the one responsible in this case are unnecessary and lead to the encroachment of an individual’s First Amendment rights.
U.S. citizens and residents with unreported assets abroad may be feeling a steady increase of pressure these days. The July 1, 2014 effective date of the Foreign Assets Tax Compliance Act (FATCA) is looming. The number of countries that have agreed to enforce FATCA is growing (almost daily). That means the banks in those countries will be required to report U.S. citizens’ assets to the IRS. It seems inevitable that if you don’t report your income and assets, your bank will. This point has been reinforced through bank-issued letters, from foreign banks to their U.S. clients, notifying those clients of the impending reporting requirements. If you want to stick your head in the sand or hide in a dark corner, we feel your pain, but we highly recommend against denial. The consequences of doing nothing could be severe – from staggering monetary penalties to jail time.
Taxpayers who are behind in reporting foreign assets and paying taxes on foreign-based income have a few options before the gloom and doom of the taxman cometh. Since the passage of FATCA in 2010, the IRS has offered citizens three rounds of its Offshore Voluntary Disclosure Program (OVDP), whereby taxpayers can reconcile their status with the IRS through reporting assets, paying past due taxes, interest and penalties. The penalties can be fairly steep – 27.5% on unreported assets alone – but they are preferable to an enforcement action by the feds. For taxpayers considered low risk, i.e. those that owe less than $1500 a year, the IRS offers a Streamlined OVDP that is penalty-free and involves a less onerous reporting process.
Below we provide some additional detail on who should consider making a date with the IRS, what steps to take, and possible consequences of doing nothing.
Who Is Covered:
U.S. citizens and residents with foreign accounts who have failed to file U.S. tax returns, failed to report income from foreign accounts, failed to file a report on foreign assets (FBAR), or failed to file other forms on foreign-based assets (e.g., Form 3520 on foreign trusts, Form 5471 on controlled foreign corporations, Form 926 on transfers of property to a foreign corporation, or Form 8865 on interest in foreign partnerships), need to address what and how to report to the IRS.
Foreign assets that must be reported include (1) accounts containing $10,000 or more of assets at some point during the tax year in which you have a financial interest or over which you have signature authority (FBAR); (2) your interest in assets worth at least $50,000 on the last day of the tax year or $75,000 at any time during the tax year (Form 8938). The problem for many is that what constitutes a foreign asset is somewhat broad and includes not only foreign accounts, stock, and mutual funds but also foreign partnership interests, debt issued by a foreign person, interests in foreign trusts or estates, and certain derivative instruments with a foreign counterparty.
If you have unreported foreign-based income or assets that pass the threshold amount outlined above, the time is right to consider the disclosure options currently offered by the IRS. The IRS’s website provides guidance on several options available to taxpayers, based upon the level of failed disclosure.
à Delinquent FBAR Filing: Those who reported all taxable income, but were not aware of the need to file an FBAR on foreign assets can file an FBAR with an explanatory statement. There will be no penalty for those who fall under this category.
à Delinquent CFC/Foreign Trust Filing: Those who reported and paid tax on all taxable income associated with a controlled foreign corporation or foreign trust, but failed to file Forms 5471 or 3520, may file these forms with an explanatory statement. (The IRS notes that Form 5471 should be submitted with an amended return.) Provided there were no underreported taxes, the IRS will not impose any penalties.
à Streamlined OVDP: Non-resident taxpayers (i.e. only citizens living abroad) owing less than $1,500 per year in taxes may file delinquent returns and related information returns for the last three years, and delinquent FBARs for the past six years, including tax and interest due. These taxpayers will also need to file additional information for the IRS to ascertain compliance risk. The IRS will review these submissions to confirm they are low-risk (i.e. that amount owed is less than $1,500 per year). If confirmed, the IRS generally will not impose any penalties beyond interest owed. If the IRS determines you are a higher risk, then you may be subjected to a more intensive review, including additional tax years, and may be required to file according to the standard OVDP (below).
à Standard OVDP: Taxpayers who have failed to report foreign accounts and income, especially those who seek to avoid criminal prosecution, may participate in the OVDP, which is structured like a civil settlement. Those taxpayers will pay an offshore penalty (instead of other penalties at the IRS’s disposal). This program involves several steps: (1) the taxpayer must submit a request to the IRS to be accepted into the program; (2) once accepted, the taxpayer must submit many items, including amended tax returns with schedules outlining unreported income for past eight years, FBARS, and information returns for the previous eight years; (3) the taxpayer must submit full payment of all tax and interest due along with penalties (including a penalty of 27.5 percent of the highest aggregate balance of foreign assets held over the last eight years, and a penalty of up to 40 percent of taxes owed on unreported income from foreign accounts). Note that if you disagree with the penalties, you may opt out of the settlement and request a mitigation of penalties (in limited circumstances, some taxpayers will qualify for a five percent or 12.5 percent penalty). You may also choose to opt out if statutory penalties would be lower under relevant laws (which should be reviewed on a case-by-case basis). Taxpayers who opt out are still protected from criminal prosecution.
à Quiet Disclosures: A final option, which is neither offered nor suggested by the IRS, but which some taxpayers attempt, is to simply start disclosing foreign assets and follow normal reporting requirements without addressing delinquent reports from prior years. Some taxpayers may choose to file amended returns under normal reporting procedures. These quiet disclosures are generally not recommended, as they do not safeguard the taxpayer from an IRS enforcement action, including criminal prosecution. They may at least trigger an IRS audit, which can come with stiffer penalties than those incorporated in the voluntary disclosure programs.
A Couple of Caveats:
If the IRS has already contacted you requesting information or already initiated an investigation, it is too late to follow any of the programs outlined above. As the name suggests, the programs are strictly “voluntary.” Also, the IRS may choose to close down its voluntary disclosure programs at any point. Many out there are warning taxpayers to file with the IRS right away before it is too late.
Although, a minor point of observation: while it is possible that the IRS will determine that it will get all the information it needs through FACTA bank disclosures, it is also likely that the agency will be happy to let the taxpayers do the work for them: to volunteer information and pay fines without the need to expend resources on investigators and prosecution. However, the more delinquent you are in taxes owed, the more likely the IRS will seek stiffer action and penalties. Therefore, if you are significantly behind on taxes owed, be aware that you are a more likely candidate for criminal prosecution. See, for instance, the growing list of former UBS clients who have faced incarceration and hefty fines for tax avoidance.
Why Make A Disclosure?
Some taxpayers may have a high risk tolerance and choose to take a chance that their foreign accounts will not be reported. Or they may think the IRS will be sufficiently inundated with new information from FATCA-compliant countries that it will take years for the IRS to identify them… and by that time perhaps FATCA will be repealed. While a number of activists and politicians have been working hard to repeal FATCA, the reality is, it is probably here to stay. Because dozens of international agreements have been signed, and once the legislation takes effect, it will be very, very difficult to unweave this work and convince the government to relinquish its new power. Taxpayers should presume FATCA is here to stay and reconcile their finances with Uncle Sam.
As of May 2014, more than 50 countries have agreed to comply with and enforce FATCA. (Some countries are enforcing the American law as a part of information share agreements with the U.S. whereby the U.S. will also report information on those countries’ citizens. Other countries are enforcing the American law to avoid the harsh withholding penalties that non-compliant countries would otherwise face.) This means that the financial institutions in these countries will be required to report income and asset information to the IRS. Finding a place to park your money outside of Uncle Sam’s purview is nearing impossible.
And the consequences of the IRS initiating an audit or enforcement proceeding against you are invariably going to be more severe than the voluntary disclosure programs (otherwise, what would be the incentive to disclose?). For those severely behind in IRS reporting, the protection from criminal prosecution should be one of the biggest carrots of the voluntary disclosure programs, especially as the IRS steps up its initiatives to help offset a perilous budget deficit. In the last five years, federal prosecutors have brought more than 100 criminal cases against taxpayers with unreported income overseas. FATCA enforcement will likely increase this number significantly. Regardless of political, philosophical, or moral objections you may have to accept Uncle Sam’s reach abroad, unless you want to risk your estate and possible jail time, the time is right to make an appointment with counsel to address your situation with the IRS.
Last month, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) formally announced its cybersecurity initiative in a Risk Alert. The initiative followed up on OCIE’s announced prioritization of cybersecurity preparedness as part of its 2014 Examination Priorities. The initiative is also timely because the general public is becoming more conscious of cybersecurity risks and its dangers as they learn of major breaches at Target Corp., Neiman Marcus, Michaels Stores Inc., and other companies. The security of personal information is even more important at financial services companies, which often have a large amount of sensitive personal information about their customers.
The OCIE’s approach is refreshingly proactive: “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Further, the areas of cybersecurity assessment are quite broad and they cover “the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Importantly, the OCIE examination is detailed and specific about ensuring the adequacy and efficacy of cybersecurity measures. For example, the list of questions regarding identification of cybersecurity risks requires exact dates and times and is prefaced with “please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice…”.
Further, the OCIE examination questions require naming the person(s) conducting the cybersecurity measures and when those measures were last checked or implemented. For example, the questions on identification of risks/cybersecurity governance include:
- Who (business group/title) conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences, and in what month and year was the most recent assessment completed?
- Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
Similarly, the questions regarding a written cybersecurity incident response policy seeks a copy of the policy, the year it was most recently updated, whether there are tests to assess the policy, who conducts the tests, and when and by whom the last test was conducted. Likewise, the questions on event detection processes seek the month and year of the most recent test.
The examination questions also seek a summary of any actual cybersecurity incidents, the services affected, nature of the breach, the availability of services during the breach, and number of other questions about each cybersecurity incident. Notably, although the examination requires companies to provide a large amount of information, the SEC explicitly issued a disclaimer that the “factors are not exhaustive, nor will they constitute a safe harbor.”
Nonetheless, it is good to see the SEC take a proactive approach to the cybersecurity risks posed to financial institutions. Hopefully, this will flow down to other companies because cybersecurity is a hot-button topic that is very concerning to customers and unlikely to be fully resolved soon. With cooperation between government agencies and the private industry, we can be hopeful that cybersecurity risks can be mitigated. As SEC Chair White has noted, there is a “compelling need for stronger partnerships between the government and private sector” to address cybersecurity threats.
Social media has opened a Pandora’s box of information about just about everyone today, including jurors, witnesses, opposing counsel, defendants and plaintiffs. As lawyers we want to leave no stone unturned in pursuing a client’s interest, but just how far can we go without jeopardizing our case? For instance, can counsel (or someone acting at counsel’s direction, such as a paralegal) review a publicly available Facebook page to learn about the background and likes of a potential witness or party? (Most likely, yes). May attorneys “friend” that witness to gain access to the witness’s full Facebook page? (It depends). Can an in-house lawyer advise an employee to remove posts from the employee’s Facebook page because the lawyer thinks the post could be damaging in an ongoing lawsuit? (Most likely, not). Can a lawyer “friend” a potential juror? (No). All counsel need to be cognizant of evolving trends in ethics rules on social media use and contacts.
The New York State Bar Association recently released extensive “Social Media Ethics Guidelines” to address lawyers’ utilization of social media, particularly as to interactions with clients, prospective clients, witnesses, and jurors.[i] The Guidelines are a non-binding advisory publication based on New York’s Rules of Professional Conduct (and precedent in other states) and issued by the Social Media Committee of the New York State Bar Association’s Commercial and Federal Litigation Section. While the Guidelines provide instruction to New York lawyers, they represent the most comprehensive statements on the ethical constraints on lawyers’ use of social media to gather information in litigation. Consequently, other states will likely use the Guidelines in crafting their own policies.
Several other states have either provided some limited guidance as to social media accounts and parties/witnesses/jurors, or are reviewing these issues. This article provides a brief summary of recent developments, utilizing the New York Guidelines as a guide and an example of how other states may view similar situations.
Reviewing Public Posts
New York Guideline No. 3.A provides that a lawyer may review the “public portion” of a person’s social media profile or public posts, even if that person is represented by counsel. Under the Guidelines, such access is permissible for obtaining information about the person, including impeachment material for use in litigation. “Public” means: “information available to anyone viewing a social media network without the need for permission from the person whose account is being viewed.” (Comment to New York Guideline No. 3.A). The Guideline cautions, however, that attorneys should be aware that some social media automatically notify a person when someone views that person’s account.
Reviewing Restricted Posts – Unrepresented Parties
Going one step further, New York Guideline No. 3.B allows a lawyer to request permission to view the restricted portion of an unrepresented person’s social media account. The lawyer must use his or her full name and an accurate profile. Attorneys may not create fake or different profiles to mask their identities. If the person asks for additional information in response to the request, the lawyer is required to accurately provide that information, or withdraw the request. Earlier, the New York City Bar Association, in Formal Opinion 2010-2, ruled that an attorney or agent may ethically “friend” an unrepresented party without disclosing the true purposes, but may not use trickery.[ii]
Reviewing Restricted Posts – Represented Parties
New York Guideline No. 3.C bars lawyers from contacting represented persons to seek to review the restricted portion of a person’s social media profile unless the person (presumably, through counsel) furnished an express authorization. This includes persons represented individually or through corporate counsel. Interestingly, the Guideline advises that lawyers should use caution before deciding to view “a potentially private or restricted social media account or profile of a represented person which a lawyer rightfully has a right to view, such as a professional group where both the lawyer and represented person are members or as a result of being a ‘friend’ of a ‘friend’ of such represented person.”[iii]
Lawyers may not direct others, such as paralegals and office staff, to engage in conduct through social media in which the lawyer may not engage. (New York Guideline No. 3.D). The comment to the Guideline makes clear that this prohibition includes a lawyer’s investigator, legal assistant, secretary, other agent, or even the lawyer’s client.
Using Information Provided by Clients
In situations where a client provides to his lawyer the contents of a restricted portion of a represented person’s social media profile, that the lawyer may review the information, provided certain criteria are met. (Guideline No. 4.D). The lawyer may not have caused or assisted the client to: inappropriately obtain confidential information from the represented party; invited the represented person to take action without the advice of his or her lawyer; or otherwise overreach regarding the represented person. “Overreaching” in this context means situations where the lawyer is “converting a communication initiated or conceived by the client into a vehicle for the lawyer to communicate directly with the nonclient.” Lawyers should be very careful not to advise a client to “friend” a represented person to obtain private information.
Deletion of Social Media Information
The New York Guidelines also address whether a lawyer can advise a client to remove content on the client’s social media account (whether posted by the client or someone else). A lawyer may advise a client as to what content may be taken down or removed, as long as there is no violation of law – whether statutory or common law – or of any rule or regulation relating to the preservation of information. If the party or nonparty is subject to a duty to preserve, he or she may not delete information from a social media profile unless an appropriate record of the data is preserved.
Special Considerations Regarding Jurors
The New York Guidelines allow lawyers to research and view a prospective or sitting juror’s public social media website, account, profile and posts. However, Guideline No. 5.B cautions that lawyers should be careful to ensure that no communication with the juror takes place – including automatic notices sent by social media networks. The Guidelines also preclude attorneys from making misrepresentations or engaging in deceit to be able to view a juror’s social media account, profile, or posts, or directing others to do so. An earlier opinion of the New York City Bar, Formal Opinion 2012-2, concluded that attorneys may use social media websites for juror research as long as no communication occurs between the lawyer and the juror as a result of the research. Attorneys may not research jurors if the result of the research is that the juror will receive a communication. Further, neither the lawyer, nor anyone acting at her direction, may use deception to gain access or to obtain juror information.
New York Principles Followed and Expanded in Other Jurisdictions
Other states take a similar approach to public information, generally permitting a lawyer to review the public information of a party, witness, or juror, and prohibiting a friend request or similar request to access non-public information of a juror. As to witnesses, some Bar authorities (such as those in New Hampshire) specifically allow lawyers to request access to the non-public social media profiles of witnesses, provided the attorney does not use deception. Virginia bar rules prevent lawyers from “pretextually ‘friending’ someone online to garner information useful to a client or harmful to the opposition,” as pretexing violates Virginia Rule 8.4(c) prohibition against “dishonesty, fraud, deceit or misrepresentation.” In New Hampshire, a lawyer must also inform the witness of the lawyer’s involvement in the matter. In Oregon, the State Bar Ethics Committee ruled that a lawyer may access an unrepresented individual’s publicly available social media information but “friending” a known represented party is impermissible absent express permission from party’s counsel.[vi] The San Diego Bar opined that an attorney attempting to access the non-public Facebook pages of certain high-ranking employees of the opposing party without disclosing the motivation of the friend request violates California Rule of Professional Conduct 2-100 (prohibiting communication with a represented party unless the attorney has the consent of the other lawyer). Interestingly, the opinion concluded “high-ranking employees” of a represented corporate adversary are considered “represented parties” for purposes of the rule.[vii]
As a general rule, deceptive practices used to gain access to private social media pages may result in proceedings by bar authorities or other adverse actions. An Ohio prosecutor was fired after his office found out he had created a fake Facebook profile and “friended” a defendant’s alibi witnesses, seeking to influence them against the defendant.[viii]
On the subject of deleting social media pages, a Virginia court sanctioned a plaintiff and his attorney for deleting a Facebook profile and pages that contained photographs that could have negatively impacted a widowed husband’s claim for damages from the wrongful death of his wife in an automobile accident.[ix] While counsel denied having instructed his client to delete the postings, testimony supported a claim that the attorney directed his paralegal to tell the Plaintiff to “clean up” his Facebook entries. The court sanctioned the Plaintiff $180,000, and the Plaintiff’s counsel $542,000. Plaintiff’s counsel later agreed to a five year suspension. The suspension order stated that the attorney violated ethics rules that govern candor toward the tribunal, fairness to opposing party and counsel, and misconduct.[x]
The New York Guidelines provide a useful reminder to practitioners that social media communications cross state lines and may implicate other states’ ethics rules. Counsel should consider Bar rules in states where counsel is admitted, as well as the jurisdiction of any pending case. In the case of misconduct in a state where counsel is not admitted, it is certainly possible for that state to make a referral to a state where an attorney is barred. While social media presents a trove of potentially useful information, all counsel need to be aware of, and abide by the ethical restrictions and to tread carefully, particularly as to non-public information. Bar rules and opinions in this area continue to develop to keep pace with technology trends. Counsel should continue to monitor further ABA and state bar rulings, particularly before conducting any research pertaining to non-public social media profiles and pages or seeking to communicate with parties, witnesses or jurors.
[i] The Guidelines are available at: https://www.nysba.org/Sections/Commercial_Federal_Litigation/ Com_Fed_PDFs/Social_Media_Ethics_Guidelines.html.
[ii] See “Obtaining Evidence from Social Networking Websites,” Formal Opinion 2010-2, available at http://www.nycbar.org/pdf/report/uploads/20071997-FormalOpinion2010-2.pdf.
[iii] Comment to New York Guideline No. 3.C.
[iv] Formal Opinion 466 is available at: http://www.americanbar.org/content/dam/aba/administrative/ professional_responsibility/formal_opinion_466_final_04_23_14.authcheckdam.pdf/ (“ABA Formal Opinion 466”).
[v] ABA Formal Opinion 466 at 4.
[viii] See Ifrah Law’s blog coverage at http://crimeinthesuites.com/prosecutor-fired-for-lying-on-facebook-to-wtinesses-in-murder-case/.
[ix] Lester v. Allied Concrete Co., Case No. CL09-223 (Va. Cir. Ct. Sep. 1, 2011); Lester v. Allied Concrete Co., Case Nos. CL08-150, CL09-223 (Va. Cir. Ct. Oct. 21, 2011).