Alston & Bird Consumer Finance Blog


Six Practical Tips for Practicing Cyberhygiene in the Middle of a Global Pandemic

Businesses large and small are encouraging (or requiring) employees to work remotely or cancel work travel as part of the response to COVID-19. But suddenly expanding the number of employees working remotely comes with increased cybersecurity and information technology risks. A cybercriminal (including malicious insiders) will have a target-rich environment during this time since more devices will be used for company business and more company data will be sent, located, or stored outside the protections of the company infrastructure and activity logging. It will also be easier for devices to be lost, stolen, or compromised, particularly if employees are not familiar with company policies on how to securely work from home. Information Security and IT teams should consider the following practical tips as they prepare for these risks.

1. Prepare for a Strain on Existing Resources

Increasing the number of remote employees increases the number of people or devices using your remote access resources, such as virtual desktop environments and virtual private networks. Continue to actively monitor these resources to ensure that they are properly updated and resourced (bandwidth, computing power, and storage capacity). This is a unique opportunity to fully test your infrastructure and remote capabilities. Also, companies may want to reevaluate how employees will be authenticated when connecting remotely. Utilizing multifactor authentication should be the goal. The Department of Homeland Security’s recent alert on enterprise VPN security may also be a useful resource here.

Consider also expanding your help desk staffing. More employees working from home will likely result in increased calls for IT support since these employees may have connectivity or other technical issues in a remote environment. Similarly, some employees may be forced to use personal devices during this period. It will be important to have help desk staff and software resources available to ensure that antivirus software can be downloaded to personal devices and that the devices are encrypted.

2. Review and Update Business Continuity, Disaster Recovery, and Incident Response Plans

The coronavirus pandemic is unlikely to directly impact your IT infrastructure. However, it is possible that a severe outbreak will impact the availability of personnel assigned to monitor or use that infrastructure. Companies should review their business continuity and disaster recovery plans (with their related IT and Security roles and responsibilities) to ensure they appropriately cover scenarios that might arise if multiple key personnel are ill or incapacitated. Similarly, if you use Managed Security Service Providers or other security vendors for critical parts of your program, you should verify that those vendors have similar plans, redundancies, and current capacity to help (you may want to verify and secure this help now while we are still in the early stages of this crisis). Ultimately, this is the perfect opportunity to ensure that all key players have recently reviewed these plans, there is necessary expertise redundancy, and staff have engaged in tabletop simulations relating to business continuity.

Companies should also consider conducting a similar assessment for their incident response plans as well as their cyber insurance, crime fraud, technical E&O, or network interruption policies. Such policies or plans may need to be revised to include backup personnel if key personnel such as a CTO, CISO, or privacy officer are incapacitated or otherwise unavailable. Also, you may want to consider cross-training appropriate personnel in all aspects of the incident response, reporting, and claims process, including the location of core documents and notice templates that would be used in an incident. If you have not already, consider what key elements of your incident response plan could be reduced to a diagrammed flow for your team to have in front of them in a crisis.

3. Warn Employees of the Security Risks of Working from Home

In times of crisis, increased work, or nonstandard work routines, personnel are more likely to forget to use recommended cybersecurity practices, but warning them now may help with security awareness during unfamiliar times. This will be particularly true for mission-critical services since employees may feel pressure to forgo security to get work done. All employees should be reminded of the corporate resources that are available, such as cloud storage or other applications, the need for increased vigilance, and the following basic security principles:

  • Secure home wireless networks with strong passwords and avoid using unsecured public networks when possible. If using an unsecured public network, be on the lookout for any certificate errors or warnings that a site may be misconfigured.
  • Do not use personal devices for work without prior approval because these may lack the security controls that protect work devices.
  • Do not use personal email or cloud storage accounts to transfer or store business information.
  • Avoid downloading or printing sensitive information from email or other IT services to personal computers or other personal devices even if authorized to use the device for work purposes. If you must download data to personal devices, confirm with IT help desk staff that antivirus software is installed on your device and that it is properly encrypted.
  • Practice good physical document management by only taking documents offsite if necessary and ensuring all materials are returned to the office for proper destruction.

4. Be Wary of Scams and Phishing Attacks

Scammers and cyber threat actors have always followed the headlines, using the public’s heightened fear and desire for information or solutions as leverage to gain access to systems, data, and money. The current pandemic is no different. There are reports of schemes where malicious actors are stealing credentials from remote workers by supposedly offering updated company guidance on the COVID-19 response. And cyber researchers recently discovered a website of a map showing COVID-19 cases on a global scale that contained a hidden code that could steal usernames, passwords, credit card numbers, and other data stored in the user’s browser. While the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) are working to crack down on phony COVID-19 cures and requests for “donations” from fake charities, employees must be on the lookout for scams and phishing attacks. All employees should be reminded of the following recommended practices:

  • Be careful opening attachments and links from distrusted or unknown sources. Phishing or other malicious emails can easily be disguised as alerts about COVID-19.
  • Try to use only trusted sources, for example, the CDC’s official COVID-19 website, for receiving up-to-date information about the outbreak.
  • Never respond to emails or phone calls asking for personal or financial information, usernames, or passwords.
  • Be careful making donations and reject any request for donations in cash, by gift card, or by wiring money.

This is also an excellent opportunity to remind employees of how to report security incidents within the company. Consider creating a short checklist for all employees detailing tips for how to detect suspicious activity, and what to do and who to contact if they believe they have been the victim of a security incident, scam, or phishing attack.

Additional resources from the FTC and U.S. Office of Personnel Management on working remotely and how to avoid scams and phishing attacks can be found here and here.

5. Be Aware of Applicable Industry-Specific Guidelines

Some heavily regulated industries (e.g., banking, financial services, and health) will have additional considerations at play. For example, FINRA has just released guidance that addressed telework arrangements with a section specifically related to cybersecurity risks posed by those arrangements. Additional commentary on this guidance can be found here. Similarly, HIPAA covered entities and business associates may face an increased risk of violating the HIPAA Privacy and Security rules. Best practices on how to address these risks and other HIPAA-specific guidance can be found here.

6. If Security Exceptions Must Occur Temporarily, Take Steps to Document Them

Your company may have no choice but to make security exceptions to get work done, especially if your industry is on the front lines of this crisis (e.g., health care and necessities supply chains). If this is the case, take steps to ensure that Security and IT document any security exceptions made so the company can resume its full security measures once volumes return to normal. If security exceptions are not documented, there is the potential for these items to be forgotten once the crisis passes.

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19). You can view all our work on the coronavirus across industries and subscribe to our future webinars and advisories.

California Attorney General Issues Second Round of Modifications to CCPA Regulations

On March 11, 2020, California Attorney General Xavier Becerra announced a second round of modifications to the draft regulations his office is preparing for the California Consumer Privacy Act (the “Draft CCPA Regulations”).  These modifications follow two previous rounds of drafting:

(a) the initial publication of the Draft CCPA Regulations, in regards to which we analyzed 21 potentially material business impacts here, and

(b) a first round of modifications to the Draft CCPA Regulations, for which we provided 30 key business impacts here.

Alston & Bird is currently preparing a detailed analysis of this second round of modifications to the Draft CCPA Regulations, which will be published via this blog.  A copy of the Draft CCPA Regulations containing all modifications from both the first and second rounds of modifications can be downloaded here.

Companies who see relevant issues in the most current modifications to the Draft CCPA Regulations should note the Attorney General indicates that the deadline for comments is 5:00 p.m. Pacific time on Friday, March 27.

For further information, contact Jim HarveyDavid KeatingKathleen BenwayAmy Mushahwar, or Daniel Felz.

Alston & Bird Webinar Series: Coronavirus: What Does My Business Need to Know?

Thursday, March 12, 2020  | 11:00am ET 
For Employers: Coronavirus and Travel: A Complicated Business Decision 

The 2019 novel coronavirus outbreak (also known as COVID-19) causes respiratory illness and can spread from person to person. There have been thousands of deaths reported globally, making the coronavirus deadlier than SARS. Coronavirus infections have been reported in dozens of countries. Individuals are being extracted from and departing China and the region, and pandemic fears have also affected shipping and travel around the world. Concerns about the coronavirus have closed factories and forced quarantines throughout China – delaying and even stopping manufacturing and deliveries.

The number of COVID-19 cases in the U.S continues to rise, affecting employers and employees in every industry, from hospitality to manufacturing to health care. What should employers consider in making decisions? This Alston & Bird webinar will review advice we are giving clients related to:

  • Travel, both foreign and domestic
  • Employee health precautions
  • Events and conferences
  • Office/workplace visitors
  • Remote workforce
  • Force majeure and the coronavirus

Our Speakers:

Dawnmarie Matlock regularly advises health care clients on complex regulatory issues, including Stark Law and AntiKickback compliance. She counsels clients facing government investigations and other enforcement actions to mitigate risks and help resolve active matters. She serves as Alston & Bird’s HIPAA privacy officer and counsels clients on HIPAA compliance and breach response.

Angie Burnette assists hospitals, physicians, and other providers with a variety of issues, including those involving medical staff, the National Practitioner Data Bank, mental health, surrogate births, minors, duty to warn, do-not-resuscitate orders, end-of-life issues, and refusal of blood transfusions. Angie provides general risk management and compliance advice to health care facilities, providers, and health plans. She also advises health care providers and non-health-care companies on HIPAA privacy, HIPAA security, and breach notification issues under the HITECH Act and state laws.

Christy Eikhoff will discuss force majeure in light of the coronavirus. She represents clients in significant and high-profile complex commercial litigation matters, with experience in manufacturing, media, and insurance. She is the co-chair of Alston & Bird’s Industrials & Manufacturing Litigation Team. She has handled several multimillion-dollar cases for publicly and privately held entities, with extensive experience in trial, arbitration hearings, mediation, written advocacy, settlement negotiations, and discovery management. Christy has been instrumental in helping business clients achieve resolution in litigated disputes involving claims of breach of contract, fraud, business torts, property torts, defamation, negligence, and unfair and deceptive trade practice and consumer protection statutes.

Charlie Morgan concentrates his practice in litigation and government and internal investigations, including occupational safety and health, employment and traditional labor matters. He represents Fortune 500 companies, retailers, manufacturers and privately held organizations across the U.S. in investigations and litigation involving accidents and safety issues, in class and collection actions, and in anti-union campaigns. He also develops programs and training initiatives for compliance with safety and health laws and federal sentencing guidelines.

Our Experience 

Alston & Bird has formed a working group to advise clients on the business and legal implications of the coronavirus. Our multidisciplinary team can assist and advise a broad range of economic sectors on responses to coronavirus news and proactive steps to ensure business continuity, supply-chain alternatives, data security if remote access for all employees is required, and new product development. We regularly work on coronavirus-related issues with the gamut of relevant regulatory bodies as well as congressional policymakers who are leading the response to this fast-moving event. Our team includes members with experience in regulations for employment issues, medical product development, and pharmaceuticals, as well as every type of business interruption scenario. Members of our team have previously worked for, or represent clients before, the White House, Congress, HHS—especially staff and operating divisions such as the Assistant Secretary for Preparedness and Response (ASPR) — FDA, CDC, USDA, EPA, DEA, DOD, SEC, DHS, DOS, and OSHA.

Webinar Details

Thursday, March 12, 2020

Login information will be provided to participants before the program.

Additional Programs 

Thursdays | 11:00 am ET  

March 19 – For Hospitals, Health Systems, Laboratories and Other Providers: Reimbursement issues, new codes, special employee issues, telemedicine, and how to navigate this new environment.

March 26 – For employers, health plan sponsors and insurers, hospitals, hospitality, and pharmaceutical and medical device manufacturers: What’s still pending on the legislative and regulatory front in response to the coronavirus pandemic.


These programs are provided as a complimentary service to clients and friends of Alston & Bird. CLE credit is pending for Georgia, Texas, California, New York, Pennsylvania, and Missouri. Additional states may be available upon request.


Why Consumer Finance Companies Should Hit “Delete” On Using Emojis In Business Communications

A&B ABstract:  What does the increased use of emojis in business communications mean for consumer finance companies, and how can risks be mitigated?


As emojis increasingly make their way into business communications, their use is creating unanticipated and problematic legal exposure for companies and their employees. Roughly 200 published court decisions since 2004 have grappled with emojis as evidence, and the number of these cases spiked as of 2017.  In business settings, these cases run the gamut from contract disputes to sexual harassment and discrimination.

The potential problems arising from workplace emoji use are particularly acute for consumer finance companies such as lenders and mortgage servicers, given the wide diversity of backgrounds among – and thus the greater potential for miscommunication with – their clients. The emoji trend shows no signs of slowing, and their legal complications in business communications will likely worsen absent common-sense safeguards.

Background on Emojis

Emojis, of course, are small picture characters used in emails and text messages. They integrate visual images into text, and they can expand depth and emotional content in ways that written words cannot. As explained by Professor Eric Goldman, , as of January 1, 2018, there were 2,600 emojis with codes under the Unicode Consortium. Countless more emojis are specific to different messaging platforms. Other related symbols are “emoticons,” which are letters, numbers, and other standard keyboard characters that are strung together to resemble a picture (e.g., the “smiley” emoticon – :-)). According to recent surveys, 92% of online participants use emojis, and 2.3 trillion mobile messages include emojis annually. They are ubiquitous and now common in business communications between colleagues and with clients in emails, texts, and instant messages, among other media.

The Problems With Emojis In Business Communications

The major problems with emojis involve their interpretation and meaning. If, as the saying goes, a picture is “worth a thousand words,” then so is each emoji. This reflects two major attributes of emojis that can lead to unintentional and profound misunderstandings in business communications with colleagues and clients.

First, different platforms translate and depict emojis differently. This means that an emoji sent via an iPhone may look quite different on an Android device, and vice versa. The same problem occurs with new versions of the same platform. Further, the sender and receiver have no easy way of knowing they are looking at symbols rendered differently across platforms, and they also do not necessarily even know that the emoji is being read on a different platform. All of this can lead to major misunderstandings. A classic example is the Unicode-coded emoji known as “grinning face with smiling eyes.” A 2016 survey revealed that most people thought the Android version meant “blissfully happy,” but thought the iPhone version meant “ready to fight.” The burgeoning field of emoji research reveals many similar examples. So a seemingly innocent email or text to a colleague or client that contains an emoji could inadvertently send an entirely different message than intended, solely based on technological issues beyond the participants’ control or knowledge.

Second, emojis often have multiple meanings that not all senders and recipients will mutually recognize. Indeed, Unicode Technical Standard #51 states a preference for adopting emojis with multiple meanings. Although this allows senders to convey many different concepts at once, it also raises the prospect of serious misunderstandings. The absence of any comprehensive and accepted emoji dictionary exacerbates this problem. The “folded hands” emoji, for example, can symbolize please, thank you, prayer, and a high-five – all very different meanings, with different implications. A 2016 survey showed that the iPhone “unamused face” emoji is variously interpreted as signaling disappointment, depression, being unimpressed, and being suspicious.

There may also be differences in emoji interpretation among different user groups, industries, and generations of users, all of whom may have their own idiosyncratic understandings of given emojis. This risk is heightened when corresponding with colleagues and clients from diverse groups that may not share a common background or frame of reference with the sender – a particularly acute issue for large client-facing organizations in the consumer finance industry.

Litigation Involving Emojis In Business Communications

Given the ubiquity of emojis, their use and interpretation have become fodder for the courts. Since 2008, U.S. courts in published decisions have addressed emojis in dozens of business cases involving breach of contract, employment discrimination, and sexual harassment.

For example, in Murdoch v. MedJet Assistance, an employee based claims of sexual harassment against her CEO on texts containing emojis with hearts and similar symbols, but her claims were dismissed in part because she responded with emojis that seemed receptive to his advances. Thus, emojis were important evidence for both sides in the case. In Apatoff v. Munich Re American Services (2014 U.S. Dist. LEXIS 106665 (D.N.J. 2014)), the court denied a company’s motion for summary judgment in a wrongful termination case because several managers’ emojis in internal emails discussing the termination suggested an improper motive, contrary to their deposition testimony.  These are but two examples of many similar cases.


Given the problems stemming from emoji use, companies in the consumer finance industry should consider implementing strict emoji-use policies. Because it is impossible to impose universally-accepted meanings on emojis among clients, colleagues, and other email or text counterparts, it may be most prudent to ban the use of emojis in employees’ business communications. The corporate IT department could also disable emojis on company systems.

Possible limited exceptions could be made for purely social communications with clients and colleagues. But the high risk of misunderstandings in a business context, which can give rise to disputes over contract formation, and potentially harassment or discrimination claims, seems to militate in favor of a bright-line rule against the use of emojis altogether. This may limit the spontaneity of business communication and make it more formal, but these downsides must be weighed against the real possibility of inadvertently forming (or breaching) contracts or other real consequences of emoji use. Another policy could require the insertion of disclaimers at the bottom of emails, expressly stating that emojis may form no part of any offer, acceptance, or agreement.

Unless and until the technology and societal understanding of emojis evolves further, the indeterminate meanings that can make emojis fun can also make them perilous in a business context. Companies must consider whether emojis are more trouble than they are worth.

Alston & Bird Adds Senior Consumer Finance Litigator in San Francisco Office

Alston & Bird continues its Bay Area growth with the addition of senior litigator Jim McCabe as counsel. McCabe joins from Morrison & Foerster LLP, where he practiced for more than 30 years, most recently as senior of counsel.

“Jim is a top-notch litigator with an impeccable reputation for defending clients in high-stakes civil litigation before state and federal courts at the trial and appellate levels,” said Kristy Brown, Alston & Bird partner and co-leader of the firm’s Litigation & Trial Practice Group. “His track record as a trial and appellate lawyer and experience across a range of commercial and regulatory litigation, including complex class actions, make him a superb choice for clients seeking sophisticated guidance on matters critical to their success.”

In a career spanning more than three decades, McCabe has distinguished himself as a trusted adviser to corporate clients, primarily in the financial services industry.

Among his many notable successes, McCabe has defended financial services companies in more than 100 different class actions and other complex civil litigation encompassing consumer reports and consumer financial products.

Over the past decade, McCabe has represented LexisNexis – a subsidiary of RELX plc – in more than 40 individual disputes and 12 putative consumer class actions asserting claims under the Fair Credit Reporting Act. He also represented LinkedIn in defeating a putative class action that attempted to characterize the company as a consumer reporting agency. And for the Mortgage Bankers Association, he won summary judgment in a putative nationwide class action that challenged the issuance of multiple credit cards to subprime customers, serving as national coordinating counsel for the association and assisting lender defendants in defeating class certification in more than 60 cases asserting claims under the Real Estate Settlement Procedures Act.

In addition to his client work, McCabe has served as a trial skills instructor for the National Institute for Trial Advocacy and the Stanford University Advocacy Workshop.

“Jim brings exceptional litigation capabilities to our San Francisco office and broader financial services practice,” said Teresa Bonder, partner in charge of Alston & Bird’s San Francisco office. “His leadership, experience, and talent deepen our bench of leading litigators and provide another powerful advantage for our clients.”