Published on:

According to its website, the Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. LifeLock has used the massive security breaches of companies like Anthem and Target to increase its membership. On July 21, 2015, the Federal Trade Commission (FTC) claimed that LifeLock—an identity theft protection company—has violated a 2010 Settlement it had made with the agency and thirty-five state attorneys general. This assertion was made due to LifeLock’s alleged misrepresentation of its security capabilities and failing to take steps to protect consumers’ information.

What is the Federal Trade Commission’s responsibility?

The FTC was created to prevent anti-competition business practices and protect consumers against deceptive or unfair business dealings. The Federal Trade Commission Act (which incorporates the U.S. Safe Web Act amendments of 2006) sets the parameters for how the agency can prosecute companies, which it believes are misleading consumers through false or deceptive advertising.  In fact, sections 45 and 52 of the statute indicate that, when a company commits an unfair act or deceptive practice, “and if it shall appear to the Commission that a proceeding … would be to the interest of the public, it shall issue and serve … a complaint stating its charges …”   In addition, section 52 addresses the illegality of false advertisements, which would be likely to induce consumers to purchase a product.  Although, LifeLock was not advertising a product, it was falsely advertising services, so consumers were induced to buying memberships.  Therefore, the FTC is utilizing its ability to prosecute companies for violating the law.

Why is the case being prosecuted and how can it proceed?

LifeLock claims that it could prevent its members from being the victims of identity theft if they paid its monthly membership fee. The FCT had a settlement in 2010 requiring LifeLock to cease its deceptive claims that the data it retained was encrypted, that information was only shared on a “need to know basis,” that members would immediately be notified of any identity breach, and that LifeLock uses all means possible to keep the personal information of it members secure. The FTC was able to prove that LifeLock’s claims were misleading compared to its actual capabilities and they settled for $12 million. Nonetheless, this recent claim indicates that LifeLock has not maintained its part of the settlement by failing to protect its users’ information, not keeping the records it was required to keep, and making deceitful claims towards consumers.

It seems that the FTC will continue to prosecute LifeLock. A class action lawsuit has been filed, but a class status has not yet been granted by the court. The difficulty with class action lawsuits for identity theft is proving actual damages, since identity theft could be used to make purchases, disseminate viruses, or send spam emails. As class action lawsuits continue after the FTC prosecution of companies that do not protect their members’ data increase, this question should be answered.

At our law firm, we assist clients with legal issues related to online privacy and cybersecurity. You may contact us to set up an initial consultation.


Published on:

Although, most people may think they understand what a class action is, however, the reality is more complex. A group of people cannot just bring a class action without following specific procedures. Notwithstanding the procedural impediments, however, in recent times, more class actions have been filed as the Internet is used as a primary source of communications, research, and transactions.

What is a class action lawsuit?

A class action is brought by a large group, usually under the name of one of the claimants or plaintiffs. In fact, Rule 23 of the Federal Rules of Civil Procedure clarifies when and how a class action can be brought to federal court. First, the class must be so numerous that joinder of all members is impracticable. In the past, classes have been certified with as few as 35 members, but normally there are large number of individuals in the class. Second, there must be questions of law or fact common to the class. One or more persons who are members of the class may sue or be sued as representatives of everyone in the class if their claims or defenses are typical of the claims or defenses of the class, and if they will fairly and adequately protect the interests of the class.  These four basic requirements are often referred to as numerosity, commonality, typicality, and adequacy of representation.

The court then has to determine whether the group can be certified as a class in order to proceed with the lawsuit. The members of the class should be informed of any settlement between the parties.  Class actions can only be brought in civil cases, but are not simply about money. They can be brought to obtain injunctive relief (i.e., a court’s restraining order). This has occurred for multiple purposes from civil rights to environmental issues.  However, cases involving internet-related violations, such as online privacy and cybersecurity, are particularly challenging because there is a lack of actual damages. In most cases, the plaintiffs claim that there are foreseeable damages—i.e., potential loss, which may or may not occur in the future.

What does it mean for companies?

Nowadays, companies are being sued for damages or injunctive relief due to privacy or cybersecurity violations. In general, organizations must comply with the industry standards in order to fulfill their obligations towards customers. They also must adhere to their own terms and conditions, which was agreed to by their customers. The biggest problem companies face is when they are hacked and information is either taken to be sold (e.g., credit card numbers) or the information is taken to be leaked (e.g., Ashley Madison data breach) in the future.  In these situations, it may takes a long time to determine who, when, where, how, and why the company’s network was infiltrated by the culprits.  So, in most circumstances, the customers of e-commerce websites have no one to seek relief against, but from the companies directly. Therefore, companies need to protect themselves by implementing proper security measures, including, but not limited to, the following: (1) Intrusion detection system; (2) Firewall; (3) Encryption; and (4) Multi-factor authentication. An intrusion detection system is hardware or software that monitors a computer network for malicious transactions. A firewall could be hardware or software that prevents unauthorized access to private networks. Encryption translates a file into a secret code in order to prevent access except when there is a private and public key that unlock the secret code.  A multi-factor authentication combines two or more independent credentials in order to grant access to a secure file. For example, one way is to require the user to enter a password, a security token, and his/her biometric data via fingerprint, retina scan, or facial recognition software into the system.  On a side note, companies should purchase cyber insurance policies in order to limited their liability.

At our law firm, we assist clients with legal issues related to class actions and internet-related issues. You may contact us to set up an initial consultation.

Published on:

Cloud computing is subject to certain complexities due to the interplay of international organizations, international users, and Cloud Computing Service Providers (collectively “CCSPs”). In essence, the owners, operators, and users of CCSPs may be subject to both national and international laws.  Furthermore, as recent events have indicated, they may face risks when it comes to data privacy and security.

What does international law mean for cloud computing?

The authority that each state has in regards to jurisdiction is a grey area. For example, the Permanent Court of International Justice considers states as having no restriction on exercising jurisdiction on other states. This is the case, unless there is a prohibition under international law. For the most part, international law is considered private law, which revolves around contractual provisions. On the contrary, organizations like the European Union, which regulate cloud computing, operate under public law. For this reason, cloud computing falls under both public and private laws. Because of this, it is difficult to coin cloud computing as a public structure for the purpose of protecting against CCSPs.  Additionally, the Restatement of Foreign Relations Law, Section 403, affects jurisdictional issues. This section provides that “a state may not exercise jurisdiction to prescribe law with respect to a person or activity having connections with another state when the exercise of such jurisdiction is unreasonable.”

What does the territorial principle mean for cloud computing?

The territorial principle is classified under both subjective and objective aspects. First, the subjective aspect provides that states can enforce laws in their own geographical territories. This is important in regards to geographical territories that have had their jurisdiction extended due to consummation. The subjective aspect is important in holding CCSPs accountable for cloud computing regulations. This way, when borders are crossed, regulations are not overlooked, and liability is still assigned when data is transferred across borders. Second, the objective aspect of territorial jurisdiction extends to actions that occur in another state, but have an effect within the state that is enforcing jurisdiction. The objective aspect is important for extraterritorial jurisdiction that is applicable to cybercrimes taking place across international borders.

How does corporate citizenship factor into international laws?

Because corporations function as separate entities, there is an on-going disagreement around corporate citizenship when it comes to international law. Pursuant to 28 U.S.C. § 1332(c)(1), a corporation is a citizen of any state by which it has been incorporated and of the state where it has its principal place of business. However, this is usually not as simple as it sounds. For example, a corporation may have been incorporated in Los Angeles, California, but holds its principal place of business in another state.  Moreover, if a CCSP has a subsidiary in the country it operates in, the subsidiary would need to follow the host country’s regulations. Regardless of the citizenship of the corporation or individual utilizing the CCSP, it is important that the international laws for cloud computing become standardized.  A state must be able to regulate cloud computing while recognizing international authorities.  Hence, with the rise of technology, uniform laws should be implemented in the near future. This way, international laws for cloud computing will move towards standardization.

At our law firm, we assist clients with legal issues related to cloud computing and international laws. You may contact us to set up an initial consultation.

Published on:

Security issues related to cloud computing must be dealt with carefully because of the legal uncertainties that surround its regulation.  At this time, the European Union and the United States deal differently with cloud computing and its security.

What methods are used to deal with cloud computing security issues?

Security issues can be dealt with by breaking them down, which is how the United States approaches them. The European Union, on the other hand, prefers to directly control cloud-computing issues. In the case of the European Union, all states must be in agreement about regulations in order for them to become rules. However, when specifically evaluating the United States, the Stored Communications Act (“SCA”) proves to be an issue. Because the SCA is a subpart of the Electronic Communications Privacy Act (“ECPA”), certain transactions within cloud computing fall separately under the statutes.  This is significant because only certain classifications of stored data are protected by the SCA. Thus, different data transmission processes have varying levels of protection. Because the ECPA was drafted in 1986, it is outdated, and brings concerns about data security. Additionally, security concerns exist when it comes to the power of the federal government in regards to data, especially in the hands of the Department of Justice or National Security Agency.

What dangers can cloud computing users face?

Cloud computing service providers are ultimately concerned with making profit and minimizing their risk. Because of this, mandatory contracts have been implemented, so that users agree to terms and conditions before uploading data into the cloud. These are called cloud Service Level Agreements (i.e., “SLAs”). In fact, cloud SLAs determine the relationship between the cloud computing service providers and users. Often times, the terms of service that cloud computing service providers present can be complicated. The intention may be to catch users off-guard. In addition, providers are careful to allow themselves discretion regarding the modification or screening process of user content. This industry does not have formal regulatory standards. For this reason, several organizations (e.g., Federal Trade Commission) have been formed to protect consumers.

What actions have been taken to ensure security in cloud computing?

The juxtaposition of the vague terms and conditions and lack of formal standards has given rise to organizations aiming to protect users. For example, they include, the National Institute of Standards and Technology, International Organization for Standardization, and Cloud Security Alliance. Many companies have taken a stand against setting regulations on cloud computing, since it will likely drive down their profit maximization. Major companies have refused to join standardization organizations. For this reason, there has been an increased call for the security and risk of cloud computing. The European Union is currently taking action by evaluating what has not been covered in the Regulation on Common European Sales Law in order to create a regulatory framework to decrease risk for consumers. It has also adopted the “Unleashing the Potential of Cloud Computing in Europe” strategy. However, a divide still exists in the legislation in the United States and the standards set in place by the European Union.

At our law firm, we assist clients with legal issues related to cloud computing and security. You may contact us to set up an initial consultation.

Published on:

Cloud computing is a service that is offered by service providers and allows for large amounts of information to be stored in virtual servers.  These organizations are referred to as Cloud Computing Service Providers (collectively “CCSPs”) and operate within the “cloud.”  They are able to operate on a global scale, which makes their activities subject to international laws and places their users at the risk of loss of privacy.

What steps have been taken to protect user data?

In general, users of cloud computing relinquish their data, which may include confidential information, in order to store large amounts of information. Thus, CCSPs must be careful to protect privacy according to industry standards. The failure to establish proper safeguards may result in legal action by private individuals or governmental agencies (e.g., Federal Trade Commission). However, due to the security risk that users face by storing their data, governments have taken active roles in protecting against information loss. For example, the European Commission has instituted a Data Protection Directive.  The purpose of this directive is to to give citizens control over of their personal data and to simplify the regulatory environment for business.

How can international cooperation occur to ensure protection?

The idea that individual states should dictate regulations over CCSPs is unrealistic.  The vast amount of inconsistencies found in regulations would call for costly and inefficient control. Nations would potentially compete to become the most restrictive forces, which would create issues for regulatory measures. In reality, cooperation would be more effective if international organizations like the European Union or World Trade Organization (WTO) could join forces and organize a cohesive set of regulations. The “cloud” can then exist as a space that can be evaluated by organizations in order to protect users across the board. Another method is the use of international organization reports with application to modern-day cloud computing. For example, the UN International Covenant on Civil and Political Rights could be utilized in terms of protecting personal information. This form of safeguard can protect privacy while dealing with terrorism, however, the basis of protecting individuals’ privacy remains the same when dealing with cloud computing.

What are some constraints on international cloud computing regulations?

With the rapid growth of cloud computing and the race to apply regulations internationally, constraints do exist, given the different abilities of states. With a program like the European Union Data Protection Directive, protections might be unfairly distributed. Provisions exist about additional protections being provided if data is transferred outside of the European Union. In this way, it is possible that CCSPs existing within the European Union territories are given an advantage over ones located in the United States or other non-European nations.  Although, the WTO’s General Agreement on Trade in Services (GATS) aims to protect against unfairness, the agreement is subject to exceptions. In addition, no international organization has come into existence that works specifically to protect cloud computing activities. In a landscape where the nature of CCSPs is changing, and cyber activity increasing, it may become difficult for international organizations to handle regulations regarding cloud computing on their own. A cyber-activity centered international body of regulation would perhaps provide a more cohesive way to protect users from loss of privacy.

At our law firm, we assist clients with legal issues related to cloud computing and privacy. You may contact us to set up an initial consultation.

Published on:

The New York State Court of Appeals recently upheld a lower court’s verdict against Facebook’s claim that it had legal standing to challenge search warrants on behalf of its members. Facebook claimed that it had the ability to challenge search warrants that it saw as illegal before the warrants were executed. This verdict is considered a major setback for companies that seek to increase internet privacy.

What were the claims?

Facebook claims that, as an online entity which stores customer information, it had standing to contest search warrants brought to obtain information about its users, including, private personal messages and photographs. The company made the argument that search warrants for electronic information are different from a physical search of someone’s home. Someone else at a company has to do the searching, not the police, and more private information is accessible than would be found through a search of a defendant’s home. Therefore, Facebook claimed that the warrants served on social media companies are more like civil subpoenas for records and should be able to be challenged in court. Facebook also claimed its right to contest the warrants under the federal Stored Communications Act, but the court held that it had misinterpreted the law, which only applied to subpoenas and court orders. Although, the five-judge panel expressed concern over the scope of the search warrants and the large amounts of warrants executed, versus the small amount of those charged with a crime, however, it held that federal and state laws specify that the only person who can challenge a search warrant is the defendant.  In general, the challenge takes place at a hearing before the trial court.

Cyrus R. Vance Jr., the district attorney for Manhattan, claimed that the warrants were only used when there was probable cause to believe that further inspection of the defendant’s activities would show wrongdoing.   In this case, the crime was social security fraud.  Mr. Vance maintained that the warrants were legitimate and the government had the right to retain the information indefinitely.

What is the effect on companies that retain information?

This case was closely monitored by technology companies, which hold third party’s information. For example, LinkedIn, Twitter, Google, and New York Civil Liberties Union filed amicus briefs, which is a document that expresses the opinion of a party not involved in the case, but has an interest in the outcome. Due to this verdict, companies will have to comply with search warrants against their members without question and without informing them. The evidence can be challenged later, but it has already been obtained no matter how personal the information. Judge Renwick indicated there were troubling facts regarding the large amount of warrants and the ability of the information to be retained indefinitely. However, the ruling was final and those interested in internet privacy can wait and see if Facebook tries to appeal the ruling with the higher courts.

At our firm, we assist clients with legal issues related to internet privacy and related regulations. You may contact us to set up an initial consultation.

Published on:

In recent years, with lawyers and their clients calling for alternate methods of dispute resolution, the discovery of electronic documents has become more difficult to manage.  In fact, this dilemma is due to the expansive nature of technology and related software and hardware platforms.  As such, it has increased the costs and burdens of litigation.

What is Arbitration?

Arbitration came about as an alternative method to resolve litigation. It exists as a way to provide a way for the parties to resolve their disputes before trial. An arbitrator is granted the authority to ask for electronic data to be presented in a case. Although, arbitration is cost effective, however, flaws exist regarding the scope of electronically-stored information that may be discovered during litigation. Due to the large amount of electronically stored information, arbitral institutions like the International Institute for Conflict Prevention and Resolution (“IICPR”) have proposed guidelines for discovery.

What do the protocols entail?

The IICPR’s guidelines include four modes to narrow focus and regulate costs. First, “Mode A” provides the narrowest scope. For example, it does not allow for any prehearing disclosures. Second, “Mode B” requires that both sides yield electronic documents that are maintained in limited numbers. None of the documents can come from forensic methods (e.g., backup servers). Third, “Mode C” requires the parties to allow for forensically-obtained documents to be used over a longer period. Lastly, “Mode D” allows any electronic information relevant to the parties to be presented. Of course, the limitations of privilege and confidentiality (e.g., attorney-client privilege) are still applicable. Other protocols also exist in order to assign guidelines to arbitration. For example, the Protocol for E-Disclosure in Arbitration allows for party deliberation as soon as possible regarding the preservation or disclosure of electronic documents. The International Centre for Dispute Resolution has also provided guidelines for the information exchanged between arbitrators to remain within narrow focus. These guidelines also maintain cost effectiveness.

How is arbitration effective during eDiscovery?

It is important that arbitration agreements are drafted carefully. This way, unwanted complications may be avoided. The parties are required to preserve evidence, including, but not limited to, electronic information. This will allow the parties to prepare for litigation and clearly define the issues. In the context of electronic information, the parties must be aware of and preserve metadata, which in essence, is the data about data (e.g., the file’s author or creation date). It is also important that discovery disputes be resolved as early as possible. This can be done by consulting the American Arbitration Association’s Optional Rules for Emergency Measures of Protection. Once the arbitrator renders his/her decision, then the parties should actively seek to enforce the decision. Any noncompliance with the arbitrator’s decision may lead to sanctions. Also, arbitration carries the risk of unfavorable results due to its unpredictable nature.  When dealing with eDiscovery, arbitrators must narrow the scope of information in order to review the relevant evidence.

At our firm, we assist clients with legal issues related to electronic discovery and arbitration. You may contact us to set up an initial consultation.

Published on:

In recent times, the concern over the distribution of, and access to, users’ data on the web continues due to rising cyber activity. This has lead to an increase in Internet-related class action lawsuits.

What are the different types of class action categories?

One category of class actions relates to the use of internet cookies, which are utilized by websites and applications to obtain information about users’ activities.  These files are saved on a user’s hard drive, so the host server gains access to certain information (e.g., user’s identity and recent transactions). “Zombie cookies” have become a concern leading to class action lawsuits, as they cannot be deleted and lead to online surveillance of users.  Online advertising has also become a source of class action lawsuits, as third-party advertisers have teamed up with websites to use cookies without consent.  As a result, online behavioral advertising is created based on a user’s browsing history in order to create relevant advertisements, which may violate privacy policies.  Another category of class action is brought when a company website violates its own terms of service or privacy policies, sometimes leading to breached databases. The last category has to do with information contained on social media platforms.  As a general matter, user profiles on social media platforms (e.g., LinkedIn, Facebook) yield a large quantity of information.  These social media platforms create user profiles that are shared with third parties such as advertising firms.

What are some recent class action cases?

These cases typically occur when, often without the knowledge of the company or website, an unauthorized third party steals user information due to inadequately-secured servers.  In April of 2015, Max Schrems’ Europe vs. Facebook involved 25,000 users who claimed that Facebook had illegally collected user data, invalidated privacy policies, and had been keeping users’ likes and apps under surveillance for behavioral advertising purposes. Facebook has also been accused of taking part in the NSA’s Prism Surveillance Program. In May of 2015, Yahoo also faced a class action lawsuit in California.  Yahoo was accused of using email as a way to boost its revenue via advertising to its 275 million mail subscribers, violating California’s Invasion of Privacy Act.  In these cases, class action lawsuits were used to simplify the process of a group to receive larger damages at a lower cost.

What is the future of class action?

At this time, class action cases remain complicated, and time consuming, due to the vast networks and policies that exist in the cyber world.  Users should be cautious and monitor the information they provide online, as well as their security settings on third party and social media platforms.  The Federal Trade Commission insists that online platforms should designate a privacy staff in order to avoid future conflicts and liabilities when it comes to privacy violations. However, privacy policies remain complicated because personal information is also used to promote services for consumers.  With the largest companies in cyberspace constantly involved with class action privacy cases, it is difficult to determine the future of class action lawsuits.

At our law firm, we inform and protect clients regarding internet and cyberspace violations. You may contact us in order to setup an initial consultation

Published on:

During the course of history, the United States Constitution has been amended in order to achieve the best interests of the nation and citizens. However, technological advancements have posed as obstacles to the changes as internet and human rights have recently become issues.

What is the relation between the Internet and Human Rights?

As of now, approximately 40% of the world’s population has access to the Internet. Because of its extensive reach, the Internet has become a basic component of human life. It encompasses an individual’s freedom of expression, freedom of association, privacy, and other fundamental factors. Civil liberty and human right groups have expressed their concerns regarding the increase in government’s control and power. For example, on April 21, 2015, Senate Bill 1035 was introduced, which seeks to reauthorize Section 215 of the Patriot Act for five additional years. This means that there would be continued data collection and surveillance programs. As such, groups like Human Rights Watch have expressed their concern towards NSA’s violation of privacy rights.

Is expression via the Internet a human right?

Over a decade ago, the United Nations decided to take action towards universal access to information and communication systems leading to the WSIS Declaration of Principles to build a society around information and technology. However, the federal Constitution seeks to protect traditional mediums of expression (e.g., speech, assembly). With new outlets for expression (e.g., television, radio, web), the United States has faced continuous changes in regulation. With the rise of power within the private sector running parallel with online activity, human rights groups have begun to advocate encryption as a method to protect privacy. For example, super-intermediaries, like Google, hold much power comparable to the government and operate on a global scale. This is where tension between A2K (i.e., Access to Knowledge) and protecting the rights to use that knowledge as a freedom of expression arise. The lack of cooperation between A2K and human right efforts might be a catalyst in the ambiguity of online freedom and access.

Is restriction of information on intermediaries considered a violation of human rights?

Because communities have grasped the concept of power in the physical world, but not yet the technological world, it is difficult to assign legal responsibilities to such intermediaries that operate as government-like entities. A super intermediary, like YouTube, has the power to block or remove content, which raises the issue of whether corporations are subject to human right laws.  Although, western super intermediaries dominate cyberspace, they are still not state actors that are subject to all parts of human right laws.  In fact, the United Nations’ International Covenant on Civil and Political Rights does mention that the freedom of expression comes with certain responsibilities and restrictions.

The Global Network Initiative has attempted to create a formal framework of human rights intended for intermediaries in order to limit such problematic restrictions.  Nonetheless, international disagreements require a case-by-case analysis, as content censorship is still controversial.

At our law firm, we help inform clients regarding human rights protection on the web. You may contact us in order to setup an initial consultation.

Published on:

LastPass is a password management service that allows users to centralize all of their collective passwords under one master password. On June 15, 2015, LastPass announced that it was hacked and user data was compromised in the process.

What was stolen from the LastPass database?

LastPass officials released a statement following the attack proclaiming that the hackers did not steal master passwords, but instead gained access to authentication hashes and/or checksums. These are used in order to verify that the master password is correct upon trying to access an account. The attack also compromised cryptographic salts, password reminders, and user email addresses. Officials are confident that LastPass encryption measures ensure the protection of most users and their master passwords. However, it is also possible that fairly weak master passwords, or ones short in length, were also subject to the attack.

What danger does the hack pose?

Although, plain text versions of the master passwords were not obtained, there is fear that the attackers have all of the components to attack the master passwords at full force in the future. Since they have encoded versions of passwords, weak passwords are currently facing a higher risk. The hackers will also be able to use rented computer servers and powerful computing to figure out some of the stronger passwords. The hackers have access to password reminders, so with the help of public records, they might be able to decipher simple answers. This means that they could potentially gain access to bank accounts, social media accounts, records, files, and essentially much of the information that is meant to be protected by encryption.  In addition, back doors have been built into encrypted communications, increasing threats to common users. The accumulating threats have evoked strong reactions in cybersecurity experts and proposition has been made in order to protect consumers from impending threats.

What measures has LastPass taken since the attack?

Because the hackers did not reach the password vaults where encrypted data is stored on the company server, there is no need for users to change their passwords on individual online websites. However, master passwords should be changed and strengthened as a precautionary measure. LastPass has improved its rigorous hashing mechanism, increasing its authentication hash with “…a random salt and 10,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed on the client side. This…makes it difficult to attack the stolen hashes with any significant speed”, said Joe Siegrist in a statement released by the company. To prevent further attacks, LastPass is requiring all users attempting to log in from an unrecognized IP address or device to verify their account. This verification is done through email or text, unless multifactor authentication is enabled.

With end-user computers becoming increasingly easier to hack, it is difficult to pin down a safe database for the storage of personal data. The storage of many or all passwords in the cloud has been a long-time security concern. Vulnerability still exists in the storage environment of a database, such as LastPass, and vault contents are not yet completely safe.

At our law firm, we help inform clients regarding the rules and regulations which apply to cybercrime. You may contact us in order to setup an initial consultation.