In the Aftermath of Van Buren v. United States

By CHHS Extern Mike Rovetto

A few weeks ago, the Supreme Court released its decision in Van Buren v. United States, and the implications this case has for nearly every business and employer in the country could be potentially staggering. Before going into the implications of the case, a brief introduction is warranted.

A more perfect case could not have been presented to the Court to answer the question of what “exceeding authorized access” means under the Computer Fraud and Abuse Act (CFAA). Van Buren centered around a police officer who sold information that he procured from the state DMV to an undercover FBI informant. Van Buren had procured the data using his valid police credentials to log into the police database and download the files.

The FBI charged Van Buren for violating the CFAA, a 1986 law that makes it a crime to illegally access a database. The CFAA has been deemed the federal computer trespass law which subjects anyone to criminal liability who “intentionally accesses a computer without authorization or exceeds authorized access.” Van Buren was ultimately convicted of the charge and on his appeal to the Eleventh Circuit, argued that “exceeds authorized access applies only to those who obtain information which their computer access does not extend, not to those who misuse access that they otherwise have”. The circuit denied his appeal, which led to the Supreme Court of the United States granting a writ of certiorari. Van Buren’s argument before the Court revolved around one basic idea; the CFAA only criminalized accessing files that one is not authorized to access; it did not criminalize misusing information that one did have authorization to access.

In a 6-3 decision, the majority ruled in favor of Van Buren’s view that the language of the CFAA only prohibited illegally accessing data (i.e., hacking), it did not prohibit illegal misuse of data that one was able to lawfully access. The Court came to the correct conclusion. Professor Orin Kerr, a law professor and expert on cyberlaw from the University of California – Berkley, analogized this case perfectly: essentially, this case boils down to criminalizing a contract dispute. Every citizen in the US should rightly shudder at a police officer violating their privacy in such a way, Van Buren’s actions (by accessing the database) criminal. What Van Buren did by accessing the database was certainly a firing offense, but one would not expect to be led out of a workplace in handcuffs because you accessed Facebook or sent a personnel email in violation of the company’s computer policy. A result the majority feared could happen considering the government’s policy on the subject which does not ban criminalizing conduct based solely on contractual disputes.

Highlighting an interesting point raised by Justice Thomas in his dissent, the Justice notes that Van Buren’s actions were similar to that of a property trespasser (defining a trespasser as someone who has legal access to a property for one purpose, but enters the property for another ulterior purpose, then he is trespassing.) The Justice then continues with this: “What is true for land is also true in the computer context; if a company grants permission to an employee to use a computer for a specific purpose, the employee has no authority to use it for other purposes”. This analogy is curious considering that in 2017, Justice Thomas joined Justice Alito’s concurrence in Packingham v. North Carolina, which rejected equating the cyberworld to the physical world. Regardless, the Justice’s example here still equates to a contract dispute. Fireable? Yes. Criminal? No.

In an interesting turn of events, the Court remanded back to the Ninth Circuit Linkedin v. hiQ, a case which stems from mining data off Linkedin user profiles after a cease-and-desist letter was ignored by hiQ. The Court remanded the case to determine if its Van Buren decision affected the lower circuits decision in how it interpreted the CFAA. The outcome of that case could land back in the hands of the Supreme Court in the coming years.

The President’s Executive Order on Cybersecurity

By CHHS Extern Mike Rovetto

A few weeks ago, multiple news agencies covered a memo President Biden’s administration released calling on private business entities to do more against the threat of ransomware and to “better understand [their] critical role”. While the President’s Executive Order is a good first step in fixing the nation’s cybersecurity problem, the E.O. does not go far enough for the simple fact that it only affects federal agencies and government contractors with active government contracts.

The U.S. approaches cybersecurity much in the way it does other regulatory matters, in a laissez faire manner that focuses more on self-regulation. In a cybersecurity self-regulatory scheme, an industry is expected to “police themselves” and set standards for how best to protect their cyber-infrastructure. Proponents of this approach argue that self-regulation is the best practice because the industry itself is the best entity to determine what vulnerabilities the industry has. If the past year has shown us anything, it should show that the self-regulation of the cyber world lacks the necessary security proponents argue comes from industry expertise. The city of Baltimore was attacked with ransomware. Public reports of the attack stated the cost to the city was over $18 million to restore services, such as payment processing for utility bills, basic email communications, and critical emergency systems like 911. Last year, reports began surfacing of a security breach within the State Department. It was revealed that SolarWinds, a government IT contractor who specializes in providing software for supporting IT infrastructure, was hacked by Russian nationals who inserted malicious code into software that allowed the hackers to “hide in plain sight” and appear as legitimate network traffic. Ultimately the SolarWinds hack has affected dozens of federal and state agencies as well as private enterprises who downloaded the infected software. The hack compromised systems and allowed the hackers to steal information such as FireEye’s hacking tools that they use to test client’s security. And this past March, Microsoft, one of the largest software companies in the world, suffered a data breach in their Microsoft Exchange Server Platform which hosts entities ranging from police departments to credit unions. The attack saw over 30,000 organizations which represent and/or holds data for millions of people across the country, have private email communications stolen. Victims of the hack include law firms, infectious disease experts, defense contractors, and higher education intuitions.

Recently the District of Columbia Metropolitan Police Department was the victim of a major data breach. An attack on the Department’s IT servers saw dozens of private personnel files, including home addresses, cellphone numbers, and more released by hackers after payment demands were refused. Just last month, the group responsible released raw intelligence related to everything from the Jan. 6 riots to intelligence on criminal activity. The hacking group  In Florida, in what might be the first active cyberterrorist attack on U.S. soil that could cost American lives, hackers were able to access a water treatment facility command and control system and attempted to poison an entire city’s water supply. Finally, in two back-to-back attacks on major critical infrastructure, major portions of the country were severely disrupted. The Colonial Pipeline attack saw gas shortages for weeks that disrupted the entire East Coast. In that case, a ransomware attack locked down a critical pipeline that feeds gas from New Jersey to Texas and touches nearly every state in-between. If that wasn’t enough, the most recent attack on the nation’s critical infrastructure, this time an attack on our nation’s food supply, should be. In that attack, criminal groups related to Russia forced a shutdown of one of our nation’s largest meat suppliers.

To sum, we have three major metropolitan areas, one critical federal agency, two critical infrastructure sectors, with about eleven states and millions of people affected by some type of cybersecurity attack. And for all but one, that is just within the last eight months. Self-regulation cannot fix this. Experts from both the private and public sectors agree on this. Microsoft President stated before Congress “We need to impose a clear, consistent disclosure obligation on the private sector”. Chairman Richard Glick of the Federal Energy Regulatory Commission response to the Colonial Pipeline attack highlights the issue completely “Simply encouraging pipelines to voluntarily adopt best practices is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors”. If self-regulation were capable of meeting this threat, the Department of Homeland Security would not be issuing new regulations for pipeline security measures.

What is clear from the evidence over the last two years is that self-regulation in the cybersecurity and data privacy realm is failing. Leaders from across multiple sectors have called on the government to provide leadership in this area and establish standards that companies must abide by. While there has been some action in the last few months, President Biden’s Executive Order, the President’s appointment of an a National Cyber Director, and DHS’s move to regulate pipeline security are excellent first steps, there are still massive shortcomings in the way cybersecurity is handled across a wide breadth of sectors in the United States. While the President’s E.O. is a good first step at the federal level, it does nothing to address infrastructure at the state level. Another question to ask is, does the E.O. affect business entities’ with non-government contracts (say Boeing’s commercial manufacturing)? Further, the E.O. does nothing for the thousands of other small-to-moderate sized businesses that store sensitive data that do not have government contracts at all. The U.S. needs to stop relying on business entities to police themselves and instead empower the most capable entity it can create with the ability to propose standards, regulate all cyber-related industries in the U.S., and enforce regulations like mandatory breach notification, encrypting all personal information, and requiring basic security measures like firewalls. When it’s your own industry base calling for regulations like mandatory breach notification, it’s past time to call for that same industry to do better.

Public Health Emergency Leads to the Need for Privacy Legislation

By CHHS Extern Nicole Fullem 

Due to the COVID-19 pandemic healthcare systems were forced to move to a more remote environment and required to adopt telehealth services to bring care to patients.  The Department of Health and Human Services (HHS) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient professional health-related education, public health and health administration.”  At the beginning of the public health emergency, HHS relaxed the Health Insurance Portability and Accountability Act (HIPAA) rules in response to the increase in telehealth services.  HHS’s guidance recognized that some of the technologies may not fully comply with the requirements of HIPAA Rules, however, HHS explained that it would not impose penalties for noncompliance with the regulatory requirements under HIPAA.  These relaxed requirements are for the duration of the national emergency, however, it is likely that telehealth services are likely here to stay.  In December 2020, HHS saw a need to deliver better care and provide patients more access to their protected health information and therefore, proposed modifications to the HIPAA Privacy Rule.  The proposed rule looks to improve information sharing, create greater family involvement in the care of individuals who are experiencing emergencies, and gives greater flexibility for disclosures in emergency or threatening circumstances, such as a public health emergency.  However, there remains concerns surrounding the privacy of health information.

The remote environment and increased use of telehealth services creates privacy concerns for many people.  Although the new Privacy Rule may provide for better access to patient protected health information, some individuals have expressed concerns­—the disclosure of medical records without requiring patient’s authorization may lead to an unintended release of an individual’s sensitive information to a third party.  In addition, patients would be allowed to verbally request their health information, and there are concerns that information may be released to the wrong party or more information is released than a patient would like to a third party.  More broadly, the telehealth services led to a greater increase around email exchanges between physicians and patients and an increase of sharing protected health information between patients, providers, and third-party organizations.  Inevitably, questions remain how to further protect patient privacy while allowing new and evolving technology to help deliver better care.  Importantly though, the public health emergency has demonstrated gaps that exist in privacy legislation, specifically in the area of healthcare and health information.

Medical records remain one of the most valuable types of information, and especially during the public health emergency protected health information has been at a higher risk than it typically is.  In 2020, about 26 million patients records were exposed to unauthorized parties in the United States.  The rise in healthcare cyber-attacks stems from the poor handling of patient records and moving these records to cloud services.  When HIPAA was designed in 1996 it did not account for cybersecurity and more importantly, it has not been modified to keep up with the conditions that lead to modern healthcare cyber-attacks.  HIPAA only applies to direct patient care providers and it does not account for other third-party platforms such as fitness and personal health applications that may also collect personal data.

Conversations regarding previous callings for HIPAA to be modified are coming up again.  There may need to be more changes to HIPAA, so that technology can be used in a way that enhances privacy protection and improves information sharing.  Congress and HHS are urging that now is the time for privacy gaps to be addressed either through federal privacy legislation, or through modification to the HIPAA rule.  As HHS awaits feedback on the new proposed privacy rule, at least 15 states have introduced privacy legislation, and a House Democrat introduced the first comprehensive federal privacy bill of the year—Information Transparency and Personal Data Control Act.  It is likely that states will continue to move forward with privacy legislation, but there continues to be a need for a broad federal standard

CHHS is Hiring!

CHHS is hiring! We are looking for both JDs and those with advanced degrees in other relevant fields. Learn about the positions and apply at the links below (links work best on computers, and not on mobile devices):… (candidates with a JD)… (candidates other advanced degree)

HITECH Act Amendment and What It Means for Incentivizing Cybersecurity Safeguards

By CHHS Extern Emma Barbato

Ransomware attacks on healthcare organizations were up 50% in the third quarter of 2020. Since 2016, ransomware attacks on healthcare organizations has cost the healthcare system around 157 million dollars.  Because  many ransomware attacks count as Health Insurance Portability and Accountability Act (HIPAA) violations, all of this leads to a large potential for fines and risk assessments that can be quite costly for organizations. 2020 saw more penalties imposed on HIPAA covered entities (which include health plans, clearinghouses, and certain health care providers) and business associates by the Health and Human Services (HHS) Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations. As ransomware and data privacy breaches become more common place, the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, Hitech amendment HR 7898, adopted in January 2020, attempts to incentive organizations to adopt NIST or other viable Cybersecurity safeguards that might prevent ransomware attacks on healthcare systems.

The HITECH amendment allows for organizations to mitigate fines from HIPPA violations by requiring that “recognized cybersecurity practices” be considered by the Secretary of HHS in determining any HIPAA fines, audit results or mitigation remedies. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule

The amendment allows covered entities and related organizations some flexibility when applying “recognized security practices.” The term is broad and refers not only to procedures developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act and 405(d) of the Cybersecurity Act of 2015, but also any other processes that address cybersecurity that are recognized through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.” Because the definition for “recognized security practices is broad it allows for scalability that takes into account the size, scope, and complexity of each organization. For many organizations this makes NIST a great jumping off point for creating a recognized cybersecurity prevention framework.

Based on the protection that the amendment provides, it makes sense for organizations that aren’t already implementing a NIST or other recognized framework to adopt or update their cybersecurity protocols. The HITECH amendment allows organizations to use their cybersecurity practices as a defense against HIPPA fines. While the amendment mainly benefits institutions attempting to mitigate some of the financial ramifications of a data breach, the upside for patients is that better security practices might lead to stopping ransomware attacks before they jeopardize valuable personal health information.

On the Front Lines: UMB Champions of Excellence Center for Health and Homeland Security Team University of Maryland, Baltimore

On October 19, 2020, the University of Maryland, Baltimore honored CHHS staff members for their work on the front-lines during the COVID-19 epidemic. CHHS staff members have assisted local emergency management and public health offices in providing critical preparedness, response and recovery work over these past months. As a result, the University has honored 8 CHHS staff members by naming them UMB Champions of Excellence.

Michael Greenberger, JD, has seen this type of dedication since the 2002 founding of CHHS, a University of Maryland, Baltimore (UMB) center that partners closely with the Francis King Carey School of Law to provide governmental and institutional organizations with tailored and comprehensive consulting services on emergency management and homeland security. He says the eight-person team went “above and beyond” the call of duty, leaving the safety of their homes to work grueling hours during an unprecedented health crisis.

“These people shifted into these responsibilities and never said a word about the fact that this was not what they signed up for,” said Greenberger, founder and director of CHHS. “They just went and did it — and did so without complaint. Our partners have offered nothing but the highest of praise for their work.”


The staff members:

Hassan Sheikh, PharmD, JD
Jihane Ambroise, MPH, CPH
Joseph Corona, CEM
Samantha Durbin, MS
Patrick Fleming, MPA, MSL
Ian Hamilton, MS
Netta Squires, JD, MSL, CEM
Kimberly Stinchcomb, MPH, CPH




US-China, TikTok, and National Security

By CHHS Extern Arsanious Hanna 

Over the course of the last decade, the United States has been embroiled in a transnational cybersecurity warfare. Washington’s concerns with America’s cybersecurity infrastructure and integrity is in response to years of intelligence agency whistleblowers and cyber hacks. Whistleblowers such as former Army Intelligence Analyst Chelsea Manning, and former NSA and CIA employee Edward Snowden—who leaked classified information to news media outlets and Wikileaks—illustrate the insider threats posed to American national security. The most recent major cybersecurity disaster is the March 2017 disclosure of classified CIA documents to Wikileaks that included CIA malware, hacking tools, and sophisticated surveillance techniques. In response to recent cyber vulnerabilities, Washington has increased cyber standards and limited foreign-based businesses’ access to the American tech industry.

In May 2019, President Trump signed an executive order granting the Secretary of Commerce the authority to block the transaction of foreign-made telecommunications equipment that pose a risk to national security. The executive order was signed to limit the Chinese telecom giant Huawei from gaining access to the American market –preventing Huawei from introducing unsafe telecommunication equipment that seeks to exploit vulnerabilities in communications technology by gathering data and intel on U.S. persons. In a February 2017 Senate Intelligence Committee hearing, senior officials from the FBI, CIA, NSA, and DIA declared that Huawei poses a security threat to American national security, and all Huawei equipment should be avoided to mitigate cyber vulnerabilities, and to prevent Chinese data gathering. Following the advice of the intelligence community, in February 2020, the U.S. Senate unanimously passed a bill to ban the purchase of Huawei equipment with federal funds. On June 24, 2020, the Pentagon placed Huawei on a list of 20 companies that are believed to be owned and controlled by the Chinese military, indicating that the Chinese government could potentially exploit the data and information stored on Huawei equipment. In response to the recent findings, on July 15, 2020, the State Department took action and hit Huawei workers with U.S. visa restrictions for abusing human rights.

Washington’s battle with Huawei is part of a larger cyber and data privacy war with Beijing, and China’s abuse of internet freedom. The newest development in data privacy war between the United States and China comes as President Donald Trump threatens to ban TikTok in the United States. TikTok is a video-sharing social media application owned by ByteDance –a Beijing based corporation, which has amassed over 2 billion total downloads and over 80 million daily users in the United States alone. On August 3, 2020, President Trump set a deadline for September 15, 2020 for TikTok to be sold to an American corporation, or to be banned from the United States altogether. President Trump’s threats come as the trade war between the United States and China escalates, and as the United States closes the Chinese Consulate in Houston. The United States intelligence community has accused Chinese diplomats in the Houston Consulate of engaging in economic espionage and theft of scientific research. According to FBI Director Christopher Wray, “the FBI is opening a new China-related counterintelligence case about every 10 hours. Of the nearly 5,000 active FBI counterintelligence cases currently underway across the country, almost half are related to China.” As China becomes a more belligerent actor, its increased presence threatens American national security.

In a July 14, 2020 interview, United States National Security Adviser Robert O’Brien warned that TikTok is getting facial recognition software and potentially sending this intimate data to China to collect biometrics and personal identifiable information on U.S. persons. A primary concern within the Trump Administration is that TikTok may provide Beijing with data and information on the American people to help improve China’s social credit score system –a system launched in 2014 that rates people based on their social behavior, spending habits, financial competency, public decency, and other arbitrary habits. These habits are monitored by over 200 million Chinese surveillance cameras, assigning each citizen a score. The lower the score, the less liberties, the higher the score, the more autonomy. Individuals with low scores are not allowed to board trains, purchase cars, receive a loan, or attend certain colleges or universities.

Beijing’s Orwellian “Big Brother” system can exploit TikTok’s content and data to ascribe a social credit score to Americans living in the United States. In late December 2019, the United States Army followed the Pentagon’s guidance and advised all military personnel to delete or uninstall the TikTok application from all devices because of the app’s ability to track a person’s location, and the app’s storage of biometric data which can be conveyed to Beijing. Suspicion over Beijing’s exploitation of TikTok data has prompted other global powers such as India to ban the app altogether. More than 20 plaintiffs in the United States have come together in a class-action lawsuit against TikTok over the app’s privacy data concerns. China has continued to rank as one of the worst abusers of internet freedom, and if China does not change it digital authoritarianism, then the United States—for the sake of national security—will continue to show opposition to Chinese companies seeking to do business in the United States.

Unpacking Contact Tracing

By CHHS Extern Carly Yost

Public health jargon, previously only known by professionals in the field, is now a part of most people’s everyday vernacular. Due to the global pandemic caused by the emergence of COVID-19, contact tracing is among those previously unknown terms that are now a part of everyone’s daily lives. Several large cities across the United States have recently hired hundreds to thousands of new contact tracers in hopes to contain the spread of COVID-19 as restrictions on Stay-At-Home orders are lifted. At the same, Google and Apple released software that would allow cities to create contact tracing apps which residents would download on their phones. While the concept of contact tracing may be now well-known, the application is still lackluster. The responsibility of contact tracing for public health ultimately falls on local government, but both individuals and companies can play their own role in contact tracing and help fill the gaps where local jurisdictions are struggling.

In the past few months, many local health departments have gone from employing a handful of contact tracers to hundreds and thousands. During this pandemic, contact tracers reach out to everyone who tests positive for COVID-19 and find out contact information for anyone who they have come in contact with in the past 14 days. However, in New York City, of those who tested positive, less than 50% gave contact information for those these came into contact with in the 14 days before the positive test. Privacy concerns seem to be the United States’ general deficiency in contact tracing in comparison to other countries. For example, other countries have required people to write down their contact information when entering businesses or large gatherings, in order to have a reliable method to trace contact even with people unknown to the person who tested positive for COVID-19. Without these kinds of regulations in the United States, it will remain a difficult task for contact tracers to find any strangers an infectious person may have come into contact with.

Although cites in the U.S. have not implemented similar methods, some have encouraged individuals to keep their own log. Upon a new phase of reopening for the city, Baltimore City Health Commissioner, Dr. Letitia Dzirasa, advised individuals to “[keep] physical or digital note of places they visit and instances and times in which they were in close contact with others for a prolonged period of time. This means places where you’ve been closer than 6 feet to others for longer than 15 minutes.” This individual contact log will make the work of the 300 new contact tracers hired by Baltimore City much more timely and effective. While the CDC website does not contain any specific guidelines for individuals tracing their own contacts, it does state that contact tracing is the key to slowing the spread of COVID-19. According to the CDC, a contact tracer will ask everyone to list names of those for whom they have been within six feet for over 15 minutes during the time they may have been infectious, and it seems keeping a personal log can only help during this process.

Not only local governments and individuals, but also companies have a newfound interest in contact tracing as they hope to bring their workforce back into full operation. The basics being recommended by most health departments for businesses are temperature and health screenings, but businesses are certainly going beyond those measures to track employees’ movement once inside the building, through cell phone apps, VPN tracking on work-issued laptops, badges, or even light sensors. This of course brings up privacy concerns with an intersection of employment law, health law, and privacy law, with experts advising the best course of actions would be a vetted cell phone contact tracing app. With effective contact tracing, offices can be more assured that once they reopen, they will remain open and if one person gets sick, there is a lower probability that an outbreak occurs across the entire office.

Contact tracing may seem as though it is just a new buzzword, but the CDC, health departments, and other experts continue echoing its utmost importance during the COVID-19 pandemic. Now is the time when individuals should consider what part they can play in contact tracing, to assist with the local resources already in place. Maintaining a log of people you come into contact with for will aid contact tracers if you do test positive for the virus. Continuously following CDC guidelines will slow the spread of COVID-19, thereby making contact tracing more manageable. Additionally, as businesses begin to reopen, research and precautions should be taken to limit the spread of COVID which means effectively tracing contact while not violating privacy laws. Better Business Bureau Northwest and Pacific gave precautionary tips to employers hoping to utilize contact tracing, particularly to pay attention to how and where data is stored, who has access to collected data, and how much information is shared with employees. The resounding advice for employers shopping for contact tracing applications is to find one which does not permit the employer to access the data and keeps the data anonymous and preferably stored on the user’s device. The key is protect the individual’s right to privacy, especially concerning health data, while mitigating a “direct threat” to the health and safety of everyone in the workplace. As public health experts have long-known, contact tracing is now a societal responsibility and an operational necessity.

Maryland Should Lead States in Nursing Home Emergency Preparedness

As states begin their phased reopening across the country, the legal and policy decisions made by health officials and governors are bearing full fruit or consequences. Some states, such as Florida and Georgia, which resisted state closures and led reopening, are now facing choices similar to those faced a month ago, but with much higher stakes, as cases of Covid-19 rise and threaten to overwhelm healthcare systems.

The state of Maryland, which was one of the earlier states to see cases rise, has led by example. With Governor Hogan at the helm of a substantial team of medical and public health experts, closures in the state of Maryland were carefully timed, well-communicated, and followed the best medical and scientific knowledge available for a novel virus. Maryland citizens, for the most part, were exemplary in their willingness to engage in measures to make themselves, their family, their neighbors, and their community safe. This is the bright spot in this pandemic; Maryland and its residents have risen to the challenge of this pandemic, and each day there are more stories of everyday acts of heroism.

Where Maryland has mirrored the country at large, however, is one of the dark spots in the pandemic: the disproportionate effect Covid-19 has had on residents at long term care facilities (LTCFs). According to CMS data, as of June 14th,  over 40% of the approximately 115,000 Covid-19 related deaths in the US have occurred at LTCFs. Some of these deaths captured national headlines, such as outbreak at Life Care Center, in Kirkland, Washington, where 37 residents died, and dozens more residents and staff were sickened or exposed.

This story has played out across the country, and within Maryland’s borders as well. As of mid-June, nearly 60% of deaths in Maryland were at nursing home facilities. Sadly, this is not the first time nursing home deaths have made headlines: starting with the tragic consequences of Hurricane Katrina in 2005, the need for better emergency preparedness and planning in LTCFs has been a part of the national emergency preparedness discussion. In fact, in 2016, the Centers for Medicare and Medicaid announced a Final Rule for Emergency Preparedness Requirements, a sweeping, federal implementation of emergency preparedness requirements.

The rule, which requires LTCFs to have emergency plans, communication plans, and twice-yearly testing and exercises, had the ability to create a much-needed, federal-level culture shift within the LTCF industry. Unfortunately, its implementation was hampered by a new administration that announced almost immediately it would work to roll-back provisions of the rule, and approached enforcement in a lackadaisical manner. More fatally, the CMS EP rule, while quite thorough in its requirements, was not coupled with any federal grant funding to help facilities meet the new requirements—many of which, such as functional or full-scale exercises—can far exceed the cost estimates CMS provided.

As we have seen in other facets of the US, changing a culture, whether in a workplace or elsewhere, takes time, effort, education, and, importantly, funding. Nursing homes throughout the country are filled with workers who are trying to do the right thing, while constantly being asked to do more with less—less money, less time, less staff. During Covid, the workers in LTCFs have become surrogate family to residents who can no longer see their own families because of visitation restrictions; these workers have coordinated video calls for families, updated caregivers on the residents’ status, and sat beside patients, reading books to those who are ill, and holding the hands of those who are dying. What LTCFs lack is a well-funded, systemic push to make emergency preparedness an integrated part of the work culture, as natural to LTCF workers as compassion is.

During this pandemic, Maryland has led the country as a state responding to a public health emergency in a measured way, as it has done so many times before. During the West African Ebola outbreak in 2014, Maryland introduced science-based quarantine and isolation policies that protected public health while safe-guarding civil liberties. Where Maryland has learned hard lessons it has made changes to safeguard residents from future harm, such as requiring backup power for dialysis centers after residents were left without access to life-saving services.

Now, Maryland should pool its strength as a healthcare and public health leader to lead the nation’s change in culture for LTCF emergency preparedness. Working with LTCFs to review infectious disease protocols, ensure case reporting, and distributing testing kits—as Maryland has now done—is critical. But Covid-19 will end, and one of its enduring legacies should be that it brought about a revolution in LTCF’s emergency preparedness, creating a nation-wide culture of safety for medically-vulnerable residents and staff no matter what the threat. Meaningful implementation of the CMS Rule can help create that culture of safety, and ensure that whatever the next emergency is, Maryland’s LTCFs are ready.

Presidential Executive Order Attempts to End Social Media’s Liability Shield under Section 230 of the Communications Decency Act

By CHHS Extern Cheryl Gordon

Twitter, Facebook, Google.  These social media sites have become ubiquitous in American culture. While some use them more than others, we all use these social media sites for various purposes.  We keep in touch with friends and colleagues.  We meet new friends and network.  We suggest new activities and provide entertainment.  We express opinions and share ideas.

The President of the United States is no different.  The pervasive reach of Twitter made the social media giant President Trump’s preferred method of communication with supporters and with the American public.  Then, in May 2020, due to tweets from the President containing information which was questioned by Twitter and other organizations, Twitter announced it would begin fact checking the President’s tweets and adding fact checking labels to those tweets. Shortly after the announcement, Twitter added fact check labels to two of the President’s tweets: one regarding mail-in voter ballots and voter fraud and one regarding voter fraud in general.

As a result, on Thursday, May 28, 2020, President Trump signed an Executive Order (the “Order”) which aims to curtail social media’s ability to perpetuate freedom of speech on the Internet by scaling back these companies’ legal liability protections under Section 230 (“Section 230”) of the Communications Decency Act of 1996 (“CDA”).  President Trump prefaced the signing of the Order by stating that this Order was a major step towards defending free speech and reducing the influence of a small number of monopolistic technology companies.  The President justified his action by explaining that social media companies have not acted in good faith and have abused the protection provided by the liability shield under Section 230 when they “censor opinions” and retract speech with which the companies do not agree.

Although the CDA was originally drafted and passed to regulate online speech in the areas of online obscenity and child pornography, the CDA contains one of the most important sections in Internet law regarding the protection of freedom of expression and innovation on the Internet.  Section 230 of the CDA provides extensive protection to online companies by shielding them against liability for information or opinions posted by third parties on their sites.  This provision protects online computer services from efforts to hold companies liable for anything third parties say or do on their platforms.

Section 230’s protection against legal liability for the speech of others allows online innovations and Internet free speech to continue to thrive.  By allowing online computer service providers to not be treated as publishers of content and by shielding these companies from legal responsibility for the content posted on their sites by users, Section 230 promotes freedom of speech on the Internet and fuels Internet innovation and growth. Section 230 creates a safe haven for websites to provide controversial content and political speech.  And, it provides a legal environment that encourages free speech.

Online companies assert that Section 230 gives them the ability to empower people and organizations from a range of backgrounds and beliefs and gives these groups a voice and a platform to reach their audiences.  They maintain that if the Section 230 liability shield is diminished or eliminated, they will be encouraged to censor content on their sites.  This will harm online speech and threaten future freedom on the Internet.

However, according to the President, the actions of online companies under Section 230 protection are a threat to freedom.  President Trump argues that social media giants and technology companies abuse the protection provided under Section 230 through censoring and editing of communications posted on their sites by private citizens for public audiences’ review.  He states that the immunity enjoyed by online companies has lasted too long and should be curtailed.

The President’s Order addresses a number of issues ranging from the First Amendment and content censorship to restricting online federal advertising and initiating federal and state reviews of what the President deems online companies’ unfair or deceptive acts.  The first section of the Order discusses free speech and social media companies’ power to “…shape the interpretation of public events; to censor, delete, or disappear information; and to control what people see or do not see.” The Order specifically targets

“…among other troubling behaviors, online platforms ‘flagging’ content as inappropriate, even though it does not violate any stated terms of service; making unannounced and unexplained changes to company policies that have the effect of disfavoring certain viewpoints and deleting content and entire accounts with no warning, no rationale, and no recourse.”

The Order states that “[w]e must seek transparency and accountability from online platforms, and encourage standards and tools to protect and preserve the integrity and openness of American discourse and freedom of expression.”

Section 2 of the Order, Protections Against Online Censorship, reviews Section 230 of the CDA.  This section explains that the immunity from liability under Section 230 is one of the rules governing the debate for a free and open forum on the internet.   The Order states that

“[i]t is the policy of the United States that the scope of the immunity should be clarified:  the immunity should not extend beyond its text and purpose to provide protection for those who purport to provide users a forum for free and open speech, but in reality use their power over a vital means of communication to engage in deceptive or pretextual actions stifling free and open debate by censoring certain viewpoints.”

According to the Order, Section 230 freedom from liability should be limited to apply to social media companies acting in “good faith” to eliminate content that is objectionable.  Section 230’s liability shield should not be available to online platforms which remove content “…to stifle viewpoints with which they disagree.”  When online platforms “censor” online speech, “…such a provider should properly lose the limited liability shield of subparagraph (c)(2)(A) and be exposed to liability like any traditional editor and publisher that is not an online provider.”  Through the Order, the President requires all U.S. government departments and agencies to narrowly interpret Section 230 and the Department of Commerce to file a petition for rulemaking with the FCC requesting that the FCC clarify when the Section 230 liability shield applies to interactive computer services. Thus, while the Order addresses freedom of expression on the internet and the country’s history related to the First Amendment, the Order aims to redefine internet free speech by limiting or in certain instances eliminating social media companies’ immunity to liability for content posted on their sites by third parties.

In response to the Executive Order, the Center for Democracy & Technology (“CDT”) filed a complaint in D.C. federal court alleging that the Executive Order violates the First Amendment, attacks the free speech rights of U.S. citizens, and tries to chill constitutionally protected free speech rights of Americans. The CDT suit also alleges that the Executive branch does not have the authority to redefine or repeal Section 230.  In their view, the Administration is usurping the power of the Legislative and Judicial branches of government.

While the technology companies, the media and the American public await the determination  of the Courts, the FCC will review the Administration’s request for clarification regarding the circumstances when online companies can lose their liability shield under Section 230, leaving them liable for anything that users place on their sites.  Congress will enter into congressional inquiries.  And, the net effect may be a lot of drama with no change.

The FCC is not obligated to respond to the Trump administration’s request for rulemaking clarification or to enact new rules.  In order to effectuate any real change to Section 230, Congress must create a new law or amend Section 230 of the CDA.  Democrats and Republicans will have to put politics aside and come together to pass such a law.  Support of a bipartisan bill targeting Section 230 has broken down due to partisan politics.  The Republican agenda to end what they see as unfair bias against conservative users and websites and the Democratic agenda to stop, in their opinion, Republicans’ attempts to gain political advantage in an election year and to advance the Republican political agenda has driven the parties further apart with each party drafting its own reform bill.  The likelihood that the parties will agree upon a unified bill any time soon is unlikely.  Without a new law, the Executive Order has no real authority to end Section 230 protections.