“FORCE MAJEURE” CLAUSES – THE PANDEMIC HIGHLIGHTS ITS CRITICAL IMPORTANCE

What is it and why’s it so important?

Force majeure literally means “superior force”.  This term is derived from French law and refers to an event or effect that cannot be reasonably anticipated or controlled.  When used correctly, a force majeure clause in a commercial contract can provide a party (or both parties) with a legal defense to not performing their contractual obligations (or suspending performance until a later time).  

The current pandemic has brought to the forefront of business leaders throughout the country and throughout the globe, with businesses forced to close and supply chains interrupted, the critical importance of limiting serious consequences of situations like the current governmental shut-downs across the globe. All of which are literally beyond their control.  Whenever there’s been wide-spread commercial loss or business interruption, such as Sept. 11th, the devastation caused by Hurricane Katrina and now with the entire world facing a global pandemic having the right tools at your disposal is critical to every business’ survival.

What’s in a force majeure clause (or not) is very important.  Many of these clauses will define the events the parties agree fall under the “umbrella” of a force majeure event allowing a party to completely terminate performance, cancel a contract or suspend performance to a later time.  Uncontrollable events such as wars, labor stoppages, extreme weather, including hurricanes, tornadoes, volcanic eruptions, often referred to “Acts of God”, condemnations or similar governmental declarations such as states of emergency making performance impossible are among events commonly included in force majeure provisions.  Most commercial contracts contain these important provisions (all contracts should) but sometimes these provisions are too general or so specific they can cause parties wishing to enforce them with unnecessary problems, or in some instances this important provision is completely overlooked and not included in the contract.

When these provisions have been carefully drafted, it can maximize the protections afforded parties, in effect, legally excusing a party’s performance due to unexpected events beyond that party’s control.  (I point out that these provisions do not apply when a party has been negligent or lacked good faith in performing its commercial obligations – meaning what a party has the capacity to perform it’s required to perform (within the bounds of “commercially reasonable” is often the test) and when performance has been made impossible (or is not commercially reasonable causing a party exorbitant additional costs for example) due to elements beyond its control – what’s in the contract, the specific contract language, becomes critically important. If the provision is too general or does not include certain “events”, it could pose a big stumbling blocks for the parties down the road facing an issue such as the current pandemic.  Whether a party would be successful in utilizing such a clause depends on several things, starting with the specific language in the contract, and then the applicable law – what governing law applies to the contract, what are the specifics of the contract deliverables, etc.?  Business insurance due to business interruption may be also be an available resource, but depends on what’s covered or excluded from the policies – review policy provisions with care.

There are also several other potential remedies a party may be able to utilize in current contracts that have limited or no force majeure provision, when performance is impossible due to circumstances beyond their control.  In some instances, a party may have other relief available under the U.C.C. (Uniform Commercial Code), international codes of conduct, or other laws, to the extent those laws may apply to the particular transaction.  Our firm has had a high rate of success over the past few months terminating contracts or suspending contract performance through our negotiations resulting in clients receiving back deposits paid on commercial real estate development deals, re-negotiating lease terms and successfully revising or terminating other commercial contracts. 

Parties to commercial contracts will always be best served by customizing these critically-important force majeure clauses (as well as the other critical contract provisions) to reflect the risks, circumstances and specifics of the business transaction and specific industries involved.  We’re encouraging all businesses to review, and update, with the assistance of experienced business counsel, all currently-used standard commercial contracts, as well as more complex, customized commercial contracts to ensure the best possible protections and outcomes can be achieved in all on-going ventures and new contracts.  

We welcome your inquires on how we can assist.

CORONA-VIRUS (COVID-19) SCAMS ARE ESCALATING

Email phishing scams and social engineering are significantly rising!  With many Americans now working remotely from home and with the stress of the current situation being felt in many homes and communities across the nation, cyber-criminals are busy showing their inventiveness and creativity for using the current pandemic for their gain. 

In recent days, the FBI, OCR, U.S. Secret Service, the defense department and other officials have posted alerts warning of the significant spike in scams related to the current pandemic. 

Three of the most common recent scams to be on the lookout for:

  1. Fake WHO emails. Recent phishing emails from cyber-criminals posing as the WHO (World Health Organization), CDC (Center for Disease Control) and other local or state health agencies with “news” that may seem important.  These FAKE emails contain malicious links tempting you to click, don’t.  Some are very “legitimate” looking, as nation-state and other well-heeled hackers have gotten quite sophisticated.  In recent days, many IT security experts and chief legal and data security officers, like myself, have been commenting on how “good” (how “real”) some of these recent phishing emails look.  If you get something in your inbox that looks like it’s from WHO, CDC or any other regulatory agencies, don’t open it.  If it’s a work email, contact your employer first.  They may advise you to delete it or capture a screen shot so they can warn other workforce members.  If you’re working remotely, take extra caution opening emails from anyone not known to you or external sources. These “spoofers” have gotten so good at it that it may seem it’s internally generated from your employer or a co-worker or a governmental entity.  For many years, healthcare workers, hospitals, defense industry and other industries have been hackers’ favorite targets. But the reach of these recent attacks go far beyond and is unprecedented. Every home, business and industry needs to be more vigilant. These emails are often very convincing looking as if they come from legitimate governmental organizations, or are internally generated by a corporate employer, they’re not. 

One wrong click could take down an entire network or pose other significant financial, corporate or personal losses. 

2. Robo calls, texts and emails offering to sell you a virus test kits or offering cures for a fee.  Most consumers know that virus testing is only available at certain healthcare sites in the U.S., and not available like this online.  Many also know there is currently no vaccine or known cure. But, that unfortunately, that doesn’t stop the cyber-criminals, who will use many different ploys like this to prey on the hopes and fears of some in the community. Hackers are too often successful in getting vulnerable individuals and communities, or just someone not paying attention, to click a link, a malicious link. Then it’s too late.  The results can be devastating from risking fraudulent charges to bank account information being compromised, identity theft, medical fraud, loss of corporate intellectual property and worse.  It’s critically important to be vigilant right now and check-in with neighbors, friends, co-workers and family members, who may be more vulnerable to these types of tactics threatening their personal and financial well-being.  And it’s critical for companies with remote workers to quickly take extra steps to ensure their workforce is aware of some of the newest tactics, and ever-present threats.

3. Emails or calls from cyber-criminals purporting to be from local or federal health organizations warning you that someone in your community has tested positive for the virus, seeking your personal information that they would then quickly sell on the dark web, posing potentially significant privacy and financial risks.

The best way to avoid these scams is to always go directly to an official governmental website such as CDC, WHO, or other federal, state or local governmental agencies for any important updates.  And question everything before clicking or offering any information. Regulatory agencies will not contact you in this way.  And always use known, reliable news sources for keeping yourself up to date on important information affecting you and your community.  Whenever you receive an email, phone call or text, requesting any personal, business, health or financial information, don’t click, don’t respond.  If you receive something through your work or personal email, take the extra few seconds, stop, don’t click.   First verify whether it’s from an internal, legitimate company source or go the official, external source directly to obtain information.  Anything related to the current pandemic is fair game for these hackers, anything ranging from airline ticket refunds, testing kits and vaccines to the economic stimulus package are other areas where clever spammers are likely to go next.

During these challenging, unprecedented times, we wish all of our clients, friends and colleagues, continued health, safety and well-being.  By working together, we shall overcome.

_____________________________________________________________________________

Please be advised, our law firm is remote capable at all times.  We will continue to work remotely to serve our clients during the current situation.  To protect our support staff, clients and the community, we’re following CDC guidelines and are prepared to respond to any requests whether related to this topic or the other legal needs via email to tegan@teganblackburn.com, phone 860-651-9500 or remote video-conferencing.  

______________________________________________________________________________

If you or someone you know may have been a victim, there are several resources available:  National Center for Disaster Fraud hotline 866-720-5721; email disaster@leo.gov or report it to the FBI tip line at fbi.gov.

An Entrepreneur’s Journey, through Silicon Valley

Silicon Valley has been in the news a lot lately.  And will continue to be.  The critically important privacy and data security issues going on with Facebook and elsewhere aren’t going away any time soon.  Regardless of which side of the “regulate them more heavily or not” you’re on, every U.S. business and consumer can and should be taking to steps, every day, to protect themselves from the ever-present online threats, which brings me to today’s subject, the journey entrepreneurs embark on.  The award-winning HBO Series, “Silicon Valley”, beautifully demonstrates it all, the good, the bad, the ugly.

When asked about what I do, I tend to go through the list – primarily outside general counsel, also chief compliance officer, to a variety of privately-owned companies from tech companies to software developers, healthcare providers, architectural firms, real estate developers, retailers, restaurants, breweries, CPA firms, and others; trusted, “go to” legal advisor to start-up ventures and more mature, national enterprises for the last two decades.  Doing deals here on the east coast and throughout Silicon Valley.

On any given day, it’s often so wide ranging, it isn’t given to short synopsis.  But, my experience working alongside business leaders has been humorously, surprisingly realistically portrayed in the critically acclaimed HBO series Silicon Valley – a show about a few techie guys starting out in a garage with an idea that could revolutionize how we communicate online, (sound familiar?).

There’s really no short hand way to explain what I do on any given day, but odds are it’s perfectly encapsulated in any given episode of Silicon Valley. If there was a short way to explain pretty much what I do in my law practice, the Silicon Valley series, depicts it all, perfectly setting the stage for what riding the wave called “entrepreneurship” is really all about.  One day closing a time-sensitive buyout of a client’s software company and the next responding to a federal trademark infringement claim for a new business owner, who didn’t get counsel before going to market arousing the unwanted attention of a big, internationally-recognized brand.

If you haven’t seen it, the series revolves around the fictional Silicon Valley company “Pied Piper” a company with a world changing idea, but little else.   

“Silicon Valley”

They wouldn’t have made it past season one, episode one – it just started its fifth season if the fumbling company’s founders hadn’t decided to go it alone, not hire legal counsel (or any other advisors for that matter) and so entertainingly depicting everything that can and probably will happen at some point over the life of a business, certainly almost everything that can go wrong, because of that all important first decision .

Like many businesses, real or fictional, Pied Piper developed a product with great potential and, well of course, money’s in short supply. While most of the CEOs and other business people I work with in my real day job are incredibly professional and good at what they do, not everyone we encounter knows what they’re doing or wants to play by the rules (short hand for not really legal or ethical).  Sometimes new businesses who don’t have counsel or aren’t savvy enough to avoid unscrupulous potential partners look for some “short hand” way to get there. Often this is their first mistake.

Silicon Valley Series, the early tribe

Silicon Valley takes us on a meandering, often remarkably accurate path of what can does go wrong – crooked dealings with venture capitalists, non-disclosure agreements that blow up big time, in-fighting among the board of directors, a litany of lawsuits (completely avoidable, of course), succession issues, conflicts of interest, non-compete clauses, employment contracts and more…   All sorts of things.  All sorts of expensive, unnecessary things.   But, therein, lies the draw of the series.

In short, pretty much all the things any company would be dealing with from its formation from attracting investors, protecting intellectual property, guarding proprietary information, gaining market share, negotiating complex contracts to resolving business disputes and much more…

Exactly the kinds of things I do every day, helping clients get there, closing deals, capturing opportunities, evaluating risks, negotiating settlements and achieving good results while helping them avoid the inevitable pitfalls in today’s increasingly complex business environments. Legal issues are, of course, endemic in any business undertaking.  And Silicon Valley along with any number of real life examples I’m recalling from decades of working alongside CEOs prompted me to share my insights – on hiring someone with the right talent and experience before making a commitment, before signing on the dotted line, before being  “knee deep in a big mess” is one of the smartest decisions any business will make.  The moral of the story, and a good general rule of thumb, calling on legal counsel only after the fact for that big, probably unnecessary, “clean up” job is going to cost a lot more and I’m not just talking about money.  One of the most important things a good advisor does is protecting the client and limit the risks, by knowing how to work around the inevitable issues, while getting clients to where they need to go.

Silicon Valley Series, women who know how to get things done

And we haven’t even gotten to some of the top concerns faced by businesses today such as growing cyber security risks, trademark infringement claims, and ever-present bots out there trolling the internet causing expensive, disruptive, completely unnecessary problems.

While its viciously funny in the series, not so funny in real life.

I’ve dealt with many of these issues over the past two decades and have seen, too closely, the tremendous, unnecessary, financial and personal strain these kinds of issues take on the unprepared. The human and financial costs can be staggering enough to do a business in.

Silicon Valley is incredibly funny, sometimes hysterically so, sometimes ingenious, profane, and ultimately enormously entertaining. It takes the viewer on some interesting, yet highly realistic, twists and turns.  Because Pied Piper is fictional, its journey is entertaining and, of course, much more dramatic than real life.  That said, the series’ attention to detail is astounding. And in highly-instructive what can and does go wrong. Unlike their fictional company, the writers and producers of Silicon Valley, show the kind of research, attention to detail, and planning that would be the envy of any company. They employ hundreds of volunteers writing and reviewing scripts to get it as close to reality as possible – among them academics, entrepreneurs, lawyers, employees at Google, Amazon, Netflix and other well-recognized name companies. A show about a rudderless company is run by the most detailed oriented show runners in the business.

Like many successful tech companies and other businesses, Silicon Valley’s founder, may be a genius in one area, maybe two, but knows dangerously little about the complexities of starting and running a business. Or, how to protect his ideas and investments. Or, knowing where the cracks in the sidewalk lie.

Nicely said, successful entrepreneurs know it takes vision and the framework to get there

Whether company founders are brilliant, of the “genius variety” or otherwise,  (and p.s. it’s not a requisite), it’s just human nature to have a myopic, hyper-focus on one (or maybe two) areas of expertise. Which isn’t conducive to being able to see limitations in other areas. Entrepreneurs by nature, are typically reluctant to delegate or give up control of their creations. After all, it’s their baby.

All too often, new businesses go about it all by trial and error, while trying to save money, listening to friends, who are remarkably short on expertise, living from day to day. In Silicon Valley as in the real world, a very costly mistake.

Pied Piper, like many smaller start-ups can move quickly, that’s great.  But without adequate funding or even with funding sometimes on the way, businesses hesitate to consult properly qualified advisors – while relying on anecdotes of how things are done. They’ll stumble through, well, everything, and end up spending far more time, money and energy than if they had good, proactive advisors on board from the outset.

To say Pied Piper stumbles out of the gate would be an understatement, they find out quickly, just before a major meeting about funding, that their product name has already been taken.  Oops. How’d that happen?  Really, No one bothered to do a trademark search! The subsequent negotiations to buy the name are as humorous as they are sobering. These kinds of issues have been significantly on the rise over the past few years, and what I’ve seen, not remotely as humorously, in my own practice – pitching an idea or going to market without securing the right protections is a huge, costly mistake.

One thing about our friends at Silicon Valley, every time they make an error, sooner or later they pay for it.  Big time. Every mistake or rushed judgment they make comes back to haunt them.  Every single one. While it’s all a bit over the top keep us entertained, it’s realistic . . . to a point.

A business can only survive so many hard knocks before it fails, and permanently so.  Pied Piper gets knocked down and gets up over and over again, well it’s a series, and after all, it’s coming back next week, because the show is vastly funny and entertaining. Not so in the real world.  Too many entrepreneurs, often with great ideas, end up in really unfortunate and unnecessary situations only recognizing when it’s too late the value of good advice.  The cost in terms of stress, time, money, self-recrimination, business disruption or failure isn’t worth it.  It has charm in the series, it most certainly has no charm in the real world.

Anyone who’s seen the series, and by all accounts virtually everyone in the real Silicon Valley, tech companies and other start-ups around the country, instantly get it.   I’ve discovered in my many years of practice; how hard it is sometimes to adequately portray how early issues will have long-lasting effects compounding through the life of a business as other issues arise through the course of a day.

So what’s the bottom line?  There’s a world full of opportunity out there.  If entrepreneurship is your style, go for it!

Enjoy the ride. It can be incredibly rewarding. There’s truly nothing like it. But come prepared. Having the right team of trusted advisors around you, that you can call in quickly, who know you and understand the business, that’s a smart strategy for success.

Spoiler Alert: I think you’ll find Silicon Valley vastly more entertaining if you never experience any of it.

© Tegan Blackburn 2019.  All Rights Reserved.

An All Too Common Story, About How Not To Do A Succession Plan

I had coffee with a friend recently. He does commercial real estate appraisals, usually on large factories and office buildings all across New England. He told me this story about an appraisal he had just completed, he knew it would interest me.

It was a typical river town, like so many scattered throughout New England. Once a center of manufacturing and prosperity, now sports a tired downtown and magnificent, but abandoned brick mills crowding the banks of a river. Even the river has seen better days.

Once booming, it was all downhill from the 1920s – the advent of air-conditioning and rise of cheap labor in the South quickly stripped away businesses that had been thriving since the Civil War. The final nails in the manufacturing coffin was the Great New England Hurricane of 1938 and devastating floods in the mid-1950s.

By the 1970s this particular town was almost boarded up. The town is miles from a city, there were no jobs in town, it was too far to commute. Enter two brothers. They could be twins – they’re both tall, thin, avuncular, with many laugh lines – though they are three years apart in age.

In the mid-1970s they bought – at bargain rates – a long stretch of property on the river. They knocked down the ruins that were there and built a modern, 110,000 square foot wire manufacturing plant. People not only thought they were crazy, they had no problem telling the brothers that to their faces.

But, the business took off, in short order became the largest employer in the area since the Depression Era. A bit of an awakening of Main Street followed, particularly restaurants and bars.

In the mid-80s the brothers expanded. This time with the blessing and full support of the town. The town gave them property on the opposite bank of the river where the brothers built an almost identical plant. The town voluntarily floated tax abatements, widened the roads for them, did everything they could to insure the brothers were comfortable and unimpeded by bureaucracy.

The company flourished and our small New England town stayed alive. There were improvements and additions and more employees and more concessions voluntarily granted by the town. Some of the boarded-up Victorians lining the hill above town were renovated, the old movie theater reopened.

By 2010 or so, it looked like another expansion was in order, the brothers hired consultants to look for properties, held talks with the town, settled on a plant design, began training employees.

Then, one bright sunny day not too long ago, the younger brother was late for work, a rare occurrence. When he finally showed up hours into the day, he went straight to his brother’s office and told him he was done. Over. Wanted out. Now.

He had had it. He demanded to be bought out for the exact amount, down to the penny, of what half the business, property, contracts, company trucks and cars, goodwill were worth. His attorney would be in contact later in the day.

And that was it. No warning, no explanation, just a demand for his money. Indeed, no explanations were ever offered.

It goes without saying the first casualty was the expansion plans, by then in the late stages of development. It soon became apparent that the only way to pay the brother half the value of the company might involve some things he’d never considered, quickly trying to find a partner he’d be able to work with to purchase his brother’s interests, major lay-offs, selling off some assets, or maybe something he’d never contemplated and couldn’t quite wrap his head around, selling the entire business and getting out altogether.  After all his years of hard work building a successful business.  Not if he could help it.  Not the desired result.  And now, he’d have to hire counsel and devote a lot of time, attention and money to this latest, unexpected development, trying to find a solution in the middle of this.

There are, as one can imagine, a million issues that arose with every step they took.

All too often, new businesses (and more seasoned businesses alike) tend to put off important topics like succession planning for another day, especially as business is humming along, but in life, as in business, unexpected things happen.

The best time to plan for the future, and have smooth transactions for preserving wealth, is at the start of the venture, not in the middle of a crisis.   And the companies with good exit plans and buy-out strategies in place for before they need one is what often distinguishes the successful long-term ventures from the others.

The problem here is simple and widespread – the partners had never discussed anything beyond the day-to-day of running the business. Now, the entire financial future of both brothers is uncertain and an entire town quakes while it awaits what one of the brothers set in motion.

It’s National Cybersecurity Awareness Month

Ransomware.  Email phishing.  These are among today’s top cybersecurity threats.  Recognized every October, National Cybersecurity Awareness Month began as a collaborative effort between government and private industry groups to spread the word, about some simple steps, to protect yourself from these insidious online threats.

Malware, ransomware and online fraud have been dramatically increasing.

Cyber threats affect everyone, from individuals and private businesses to public-sector organizations and critical service providers like your local utility company and hospital.  It’s not just large organizations and the highly-publicized data breaches we keep hearing about in the news, like the major Anthem, Equifax, Yahoo and Facebook breaches. Every time you’re online, there’s a threat of being victimized, sometimes by human bad actors, sometimes by non-humans or bots, sometimes because somebody just wasn’t paying attention and opened something bad.  The single biggest cause of data breach is because someone opened something they shouldn’t have.  Online threats are real and everywhere. And there are a few steps you can take to avoid the most common pitfalls.

Right now, the laws surrounding cybersecurity, privacy and breach notification here in the U.S. exist on a very patch-work basis across the states, some have more detailed and stringent laws than others.  And at the federal level, cybersecurity and data protection have largely been industry-specific regulations, with no single federal data protection law like the General Data Protection Regulation (GDPR) enacted a few months ago in the European Union.  California and New York have also recently enacted strong data protection regulations and more states are likely to follow suit. There’s no perfect answer to whether new cybersecurity laws here or abroad will put meaningfully limits the growing number of cyberattacks.  But regardless of what legal or technical developments do, or don’t occur, individuals and businesses alike can, and need to, protect themselves from these growing online threats. And if the worst was to happen, it’s important to be prepared to recover from a cyberattack, as quickly and cost-effectively as possible.

Now, more than ever, it’s critical to STOP and THINK, before you CLICK.

The biggest online threats over the past few years continue to be email compromise (typically through phishing attacks) and ransomware attacks.   Not only has the number of attacks increased this past year, so has the sophistication of both human and non-human actors, with large-scale phishing attacks available at extremely low cost and ransomware available as a service (Raas), the FBI reporting over 300,000 complaints to its cybercrimes unit this year alone, totaling over $800 million in losses.  Congress also reported over 300 billion of losses nationally due to cyber theft just this past year.  More than ever, every U.S business and individual with internet access needs to know what you can do to avoid these growing online threats.

Anyone can be a victim of online crime with devastating personal, financial or commercial consequences, from identity theft to stolen personal, health or other confidential information, disruption (and in some instances locking-down) computers or entire network infrastructures.  In some instances, requiring expensive breach notifications with business reputations at stake, the single biggest cause of cyberattack is because someone clicked something they shouldn’t have.

While this blog isn’t intended as a definitive answer-all to cybersecurity, there are a few common-sense rules every internet user should keep in mind to avoid the most common pitfalls when online.  Take a minute before you open it. Keep security programs and patches up to date. Use encryption, secure password logons and phrases and multi-factor authorization, whenever possible, and change them regularly.  Public or shared Wi-Fi should be avoided.  For businesses, training everyone in your organization on best practices to protect the privacy and security of your network and customers is not only a great idea, many times it’s a regulatory mandate. Most of these problems occur because of a poor understanding of how computers work or good computer hygiene, not understanding how attacks occur, not knowing or understanding the ethical or regulatory rules, visiting a site that’s infected or opening a link that well, was probably obvious, but someone hadn’t taken a moment to stop and question the source, before opening. All too often, if someone had taken a moment to stop and think, before clicking, the problem could have been avoided.

Email phishing and ransomware attacks have become increasing pervasive problems in many industries with healthcare, technology, financial and government sector organizations among hackers’ favorites.  But individuals and small businesses have also increasingly been targeted by ransomware, resulting in a computer being “locked” until the “ransom” is paid.  And there’s no guarantee the data will even be there or be uncorrupted, if you do pay the ransom. The FBI recommends not paying the ransom to deter crime.

What would you do if you were hit with ransomware?  It’s important to know the answer, and what your legal and ethical obligations are if you have regulated personal, health or other confidential information on your system or devise.  (Please visit our earlier Blog, “You’ve Been Hit with Ransomware, Now What? And Do You Have a Duty to Report?) So, whether you’re a small business owner, a large, highly-regulated organization or an individual using a home computer, there’s a lot you can, and should do, to help avoid these costly, pervasive problems.

Recognizing the problem is the most important part of fighting the problem.  So, before you open it, STOP & THINK, before you CLICK.   Many of these problems can be avoided.

__________________________________________________________________________

This blog is not and is not intended as legal advice.  The information provided is a general overview of the topic only and an attorney should be consulted for advice on any specific issues.

The author is legal counsel and chief data protection officer to a number of highly-regulated industry clients and frequently writes and speaks on privacy and data security issues.

If you’d like more information on this topic and what you can do to avoid these ever-growing online threats, we’d be glad to help you design and implement a privacy and information security awareness program at your organization.

 

GDPR: What Businesses (and Consumers) Need to Know:

The European Union’s sweeping new privacy regulation General Data Protection Regulation (GDPR) just went into effect, May 25, 2018.

Considered by many to be the most important development in data privacy in decades, GDPR heightens and standardizes data protection requirements across all EU member states applying to anyone doing business in the EU involving using or sharing personal data of any EU resident.  This new law has been several years in the making and provides far-stricter rules on protecting personal information (PI and PII) than any of its American counterparts such as HIPAA, GLB, SOX or other U.S. data protection laws that typically regulate “industry specific data” such as patient information or financial data rather than one very broad law applying to all residents.

While this new law doesn’t “technically” regulate activities with U.S. consumers, everyone in the U.S. is expected to benefit from these sweeping new regulations imposed on global providers such as Facebook, Google, Twitter and many other, well-known and lesser-known businesses that use, access or share personal data of anyone residing in one of the EU’s 28-member states – that covers a whole lot of businesses and business activities here and abroad.  Many of these types of more comprehensive data protection laws have been circulating around D.C. for years without adoption and a number of U.S. states have taken the initiative to enact tougher privacy, security and data breach notification laws than some of their federal counterparts. This new E.U. law is expected to provide better data protection and transparency across the globe.

As a result of this new law, decision-makers, C-suites and board of directors across America and the globe have been evaluating and putting into place required new privacy policies for better security, transparency and accountability, including provisions allowing consumers to choose how their personal information is or is not used or shared.   We’ve all been seeing our inboxes filling up lately with notices from all the big providers like Google, Facebook, Twitter and others with a global presence updating their privacy policies.   This isn’t due to the big Facebook Cambridge Analytica debacle, them trying to save face or generate goodwill –  for them it’s required by GDPR and the recent Facebook situation certainly highlighted the need for change.

Any businesses with strict, robust HIPAA compliance programs protecting regulated patient data (or similar compliance programs) already in place will be steps ahead of their counterparts in meeting the sweeping, new compliance requirements for any EU activities.  In the area of data security and compliance it’s always a pay-now or pay-later situation.

Businesses that haven’t yet fully-complied with data protection requirements risk significant consequences.  For those of us who work in their field, we know and often say “It’s not a question of IF – It’s a question of WHEN” a data security incident or comprise may occur – even for those who have fully-complied with data protection laws.  And it’s critically important for businesses to meet all the requirements, not skip steps, or delay completing the requirements, as non-compliance or partial compliance is what gets most into trouble.  There are just too many bad things out there on the Internet with new variants popping up every day for anyone think they can’t be compromised.  And the consequences of non-compliance with this new EU law are significant – far more significant than their U.S. counterparts – allowing regulators to impose fines of 4% of worldwide revenue, or 20 million dollars, whichever is greater, unlike the now more reasonable-seeming penalties for non-compliance under HIPAA, which depending upon culpability, are up to 1.5 million, per violation.

A few other important, distinguishing features of this new law, include the obligation to appoint a Data Protection Officer, who must be an expert in knowledge of data protection law.  HIPAA and other similar U.S. regulations have similar concepts requiring the appointment of compliance officers to ensure compliance and security. The new EU law also specifically allows affected individuals to make claims directly against providers, which is not the case under many U.S. federal regulations.  An extremely important difference in this EU law is also the far-stricter breach notification standards of 72 hours, as opposed to the general concept under many U.S. laws requiring breach notification within a “reasonable time” often interpreted to mean 30-60 days depending upon the situation and jurisdiction and varies widely state to state.

Data protection is one of the single, most urgent challenges facing businesses here and across the globe.  According to a recent report by Reuters, many U.S. businesses are still struggling to understand the implications of their data privacy and protection obligations.  This isn’t necessary and it’s not difficult, it just requires the time and commitment to understand the rules and put the right resources in place.  Those who don’t protect customer data sufficiently will not only jeopardize their reputations, these high levels of fines are designed to send a message, a strong message, some businesses will not survive.  Those who aren’t get up to speed with implementing the requirements of GDPR, or who fail to fully-comply with other data protection laws here in the U.S., will learn pretty quickly the true costs and consequences of putting it off for another day.

The most effective strategy for protecting personal information and combating cyberattack is understanding the rules that apply to your organization, and then implementing and enforcing the required policies and procedures.  The bad guys are just one untrained, gullible user away from a full-on, all-out intrusion.  And these laws aren’t really as much about technology as how the technology is used and require adequate, additional protections to be in place – physical, administrative and organization-wide, in addition to sufficient technology safeguards.

Many U.S. data protection regulations, such as HIPAA, have other, additional important requirements like security awareness training for all workforce members, as failing to train employees and test their understanding and knowledge of vulnerabilities and threats is cited as the single biggest factor in most, successful data intrusions.  Hospitals, banks and other highly-regulated business are among favorites for hackers for their treasure troves of valuable PII and PHI – so any business entity using, storing, transmitting or using this type of highly-protected information needs to take the All the required actions – and take them seriously, as penalties for skipping steps are costly and often lead to problems.  Costly, completely avoidable problems.

For American businesses, this is an excellent opportunity to evaluate what’s needed to protect yourself and your customers and stay a step or two ahead of the bad guys.  Consumers around the globe are expected to benefit from GDPR.  And many more comprehensive data protection laws should be forthcoming here and abroad.  All businesses large and small, have the obligation to protect personal data and must take adequate steps.  There’s too much at stake. One wrong click is all it takes.

______________________________________________________________________

Disclaimer.   While Attorney Tegan Blackburn frequently acts as counsel and compliance officer to a number of highly-regulated entities, this article is intended to provide a broad-overview of the topic only, is not legal advice and is not a replacement for advice from qualified legal counsel.  ______________________________________________________________________

All Rights Reserved.  Tegan Blackburn LLC ©

 

 

Think you have a legitimate claim? Why proving damages is essential.

In the business world (and elsewhere), disputes happen all the time and for a wide variety of reasons.

Somebody did somebody wrong, and in the commercial contracting world, that means somebody needs to pay.

But, first things, first.  Are contract terms clear and unambiguous? If so, you’re off to a good start.  But all too often, contract terms aren’t as clearly spelled out as they should be – leaving the door open to one or more of the parties having different views of what the contract requires.  This always spells trouble.

Let’s assume you’ve got a binding, enforceable contract (sometimes this is also disputed) and can establish the other party failed to perform their obligations. You’ve made it past the first big hurdles, but then you’ve got to prove what’s often the most important and difficult part of your case  –  what damages resulted from the breach?

Proving damages is essential otherwise you could walk away the “winner” without having much to show for it –  this is true whether the case proceeds to trial or might be resolved in earlier settlement stages. Either way, not a good result. Without convincing, legally-admissible evidence of damages, getting a good result isn’t likely; and if settlement negotiations fail and the matter proceeds to court without sufficient evidence of damages, there won’t be a good result there either.  The party who “wins” the case is never the one who’s pounding the table the loudest, it’s always the one who’s best prepared with legally-admissible evidence demonstrating all the important aspects of the case –  showing there’s a valid contract, how it was breached and how the non-breaching party was commercially harmed.

After clearing the first big hurdles, you’ve established a clear, enforceable contract and how the other party breached, now comes the hardest part, proving damages, but, of course, the devil is always in the details.

Only after all these elements are met is a party likely to be awarded damages. Proving the damages component of any case is often the most important and difficult part of the case.   It might be easy enough to show the other party is the bad guy who breached the contract, but without sufficient reliable evidence showing the damages resulting from the breach, a party might just be the prevailing party “winner in the case”, but not be awarded much. And in most commercial contracts there’s a “prevailing party” provision so the winner can also be awarded their attorney’s fees and costs.  A little extra incentive to win, but counter-claims are often raised and there isn’t always a clear winner.  The discovery phases of cases and testimony from parties can also raise other tricky issues.  And in any formal court proceeding, one thing is certain, it’s going to be long, expensive road to an uncertain result.

Good results come from good preparation.  When disputes arise, parties shouldn’t delay contacting legal counsel, who can evaluate claims before long, expensive, contentious proceedings are instituted.   The likelihood of recovering damages and what’s required to prove the case  must be carefully considered; and then decisions made on the best way to proceed whether through settlement negotiations, mediation or other alternative dispute resolution avenues before lawsuits are filed.  Evidence and potential testimony proving the case must be gathered and evaluated – what’s required to prove damages means no speculative or convoluted damages theories, or hearsay, or subjective opinions or guesses, just the plain, hard facts, admissible evidence showing the damages resulting from the breach.

The best contracts clearly spell out all the performance terms, including the all-important who’s required to do what, payment terms, what constitutes a default, how a party might cure a default –  along with a lot of other important considerations such as additional damages or remedies a party may be entitled to.  Just as importantly, in these situations is that attorneys can often use well-drafted contracts to bolster their client’s position negotiating settlements, often without instituting legal proceedings.

One of the biggest things that gets parties in trouble is “borrowing” provisions from other contracts they’ve used or found online covering only the most basic contract provisions or terms that aren’t really relevant to the transaction.  Some of these “form contracts” may sound “legalistically good” to an inexperienced business person.  But, all too often in these situations, important provisions are completely left out or are so poorly drafted leaving the door open to a lot of contentious back and forth on what the provisions mean after the contract’s signed.  And most commercial transactions have their own blend of unique, important issues that must be carefully considered.

Whether the stakes are high or not, a well-qualified attorney should be called on (preferably before signing on the dotted line) not only for their legal expertise, but also for the practical experience handling the kind of issues involved to advise clients on the best way to proceed when issues arise, including how likely they are to recover damages.  I often tell my clients the best contract is the one they’ll never need to call me on after they’ve signed it, because it’s well drafted and the parties fully performed.  But things happen, and if problems develop, the starting point is the contract terms.  When contracts are well drafted, there’s a lot less fighting over what something meant.  When provisions are thoughtfully negotiated and drafted, it makes reaching a fast, effective resolution far more likely (and at far lower cost than the more traditional “fight it out in court” approach) where only one person wearing the black robe will decide the outcome.

Good results come from good preparation and clear contracts.  And when disputes arise, we work quickly gathering the best evidence for negotiating fast, effective results; and in many instances formal legal proceedings can be completely avoided – often because the contract’s clear and the evidence trail is good enough and substantial enough to prove our client’s point.

 

A Law School Tale, About DIY Estate Planning

While there’s never a ‘perfect time’ to do estate planning, it’s not something to be put off. I tend to do a lot of estate planning after the holidays and start of the New Year; it just seems to be the right time for many people.

Sometimes, I run across clients who do the planning on their own, or through LegalZoom or other on-line so-called legal providers.  The one thing I consistently notice when I see this is the lack of depth involved in ‘do-it-yourself’’ estate planning. With estate planning, it’s not enough to get the right answers; you have to start with the right questions.

I’m reminded of a case from my law school years.
There was an eccentric old man, who lived in the middle of nowhere in Texas. He lived on a rundown old farm, hoarder-like, though friends and family knew he had made a small fortune in oil a generation earlier.

He had been a wildcatter, he amassed his fortune on his own, he made it clear to everyone who had an interest that he was going to disperse it as he saw fit. Good for him.

In short, he did his own estate planning, let it be known that he had a Will and was not above changing it if any of his heirs displeased him. Since he lived hundreds of miles from the nearest town, perhaps all this was just his way of making sure family visited him with some regularity.

He got sick, died fairly quickly. After his well-attended funeral, his family descended on the farm en masse to search for his Will.

It began civilized enough, the family systematically went through the house looking in all the normal places ~ desk, file cabinets, shoeboxes, cookie tin ~ to no avail.

They couldn’t find it in any of the ‘normal places.’ Soon it was civilization be damned, the house was a dump anyway, and they tore up the furniture, ripped through the walls, pried up the floorboards, dug up the basement, checked the well, you name it, looking for the elusive document.

They brought in bulldozers, dug up huge mounds of dirt, systematically dismantled the barn. No Will anywhere. Nothing.

Finally, after weeks on site, bedeviled by the heat, fire ants, blackflies, they got around to an ancient chicken coop far from the house. Where they found a mason jar under the floorboards.

In the mason jar was a key, obviously to a safety deposit box. It had numbers engraved on it, but no other identifying features.

The potential heirs’ problem was daunting: there were some thirty banks within a three-hundred-mile radius of the ‘ranch’, none closer, many, many more the further one radiated out. There was nothing in the house to indicate that the deceased even had a bank account. The only way to figure it out in the pre-internet age was to pick a direction, drive to a town, go bank to bank to bank trying to match the key, repeat.

It took months. At long last, they found the bank that issued the key and the old man’s safety deposit box. The key fit, it turned, out slid a good-sized box filled with documents, securities, the works. On top of it all was a handwritten note on the deceased’s letterhead. Here’s what it said:

“You will find the key to this safety deposit box in a mason jar under the boards of the chicken coop.”

The moral of the story and what I always advise clients is that when you try to do estate planning yourself (the DIY approach), and don’t get good legal advice, sometimes what seems perfectly clear to you may not be at all clear to anyone else.

And if you’ve gone to all the trouble of doing your Will and it can’t be found by your heirs, intestacy laws apply (meaning no there’s no Will) and the state’s formula, not yours, will determine who gets what, not a good ending.

Inc. or LLC? New Limited Liability Company Act a Good Choice For Many

Important changes to Connecticut’s Limited Liability Act highlighted in our blog today.  (This new law, effective July 1, 2017, adopts many provisions of the Uniform Limited Liability Act followed in other states and received strong support from the American and Connecticut Bar Associations.)   This new law provides additional flexibility and clarity to business owners and managers and may be the ideal business structure for many doing business here in Connecticut.

The efforts behind the new act were a desire for Connecticut to become more “business friendly” and encourage more businesses form their LLCs here and remain in Connecticut. This new Act provides LLCs with greater flexibility to customize their Operating Agreements (the key governing document) to fit their circumstances.  It also provides greater clarity for attorneys drafting these agreements and for courts interpreting provisions when there’s a dispute. Among a major change for small business are clearer default rules for those without written operating agreements. This is always important topic when counseling our new business clients to understand all statutory requirements must be met. Otherwise businesses run the risk of claims against their personal assets!

The Act itself is rather lengthy, but new, major provisions include:

  1. More detail about fiduciary duties and charging orders against Members in debt collection;
  2. Changes when a Member (owner) can bind the LLC as an agent;
  3. New provisions on derivative actions by a Member;
  4. Changes rules regarding mergers between Connecticut LLCs, including mergers with foreign LLCs, and adds provisions governing interest exchanges. The new Act’s requirements for the plan of merger are similar to those in current law.
  5. Terminology changes from “Article of Organization” to “Certificate of Organization.”
  6. Allows far more flexibility in drafting Operating Agreements, but may not, as one would expect, authorize any unlawful or bad faith conduct.
  7. Members are no longer agents of an LLC solely because they are a member.
  8. Changes the provisions of the former Act providing that a member or other person entitled to a distribution becomes a creditor. Under the new Act, the LLC’s obligation to make a distribution can be offset by amounts the recipient owes the LLC.
  9. Requires unanimous member approval for amendments to the Certificate of Organization or Operating Agreement and expands to super majority voting requirements approval for any act outside the LLC’s ordinary course of activities. The Act also allows members to vote without a meeting and members may appoint a proxy or agent.
  10. A duty to reimburse a member or a manager for any payment made by the member or manager in the course of doing business on behalf of the LLC, if the member or manager complied with the Act’s provisions on voting and duty of loyalty. Similarly, the Act allows an LLC to indemnify and hold harmless someone for acting as a member or manager as long as liability is not based on breaching duties regarding distributions, voting, or the duty of care or loyalty to the LLC. It extends these provisions to officers. The Act requires an LLC to indemnify a person who was successful in defending LLC in a proceeding with respect to a claim or demand based on the person’s capacity as a member, manager, or officer.

______________________________________________________________________________

Connecticut is now the 14th state to enact the most recent version of the Uniform Act is expected to give some better clarity to businesses in running their day to day operations and more consistency for courts in interpreting the Act’s provisions,  As far is reaching the desired result for a friendlier business environment for Connecticut, the jury’s still out.  Following the statutory rules, so companies can enjoy the protections LLCs provide, of course, remains critically important. 

________________________________________________________________________

For over 2 decades, our firm has focused on advising both more sophisticated nationally-based businesses, as well as smaller, local start-up companies, assisting clients with a wide range legal matters such as guidance on forming LLCs and corporations, resolving contract and other business disputes, business combinations, mergers, acquisitions, compliance issues such as responding to regulatory inquires, data breaches and many of the other issues arising in today’s increasingly complex business world.

________________________________________________________________________________

We recommend new businesses consider LLCs for the flexibility and increased clarity available under the new law; and that existing LLC governing documents be reviewed, by well-qualified business counsel.  We welcome your inquiries on how we can help with this or other general business law topics.

 

 

 

 

 

 

CONNECTICUT STATE CONTRACTORS – NEW DATA BREACH LAW

Our blog this month highlights some important changes to Connecticut’s data breach notification statute with important new security requirements for anyone doing business with the state. (Public Act No.15-142, “An Act Improving Data Security and Agency Effectiveness –  “the Act”.)” State contractors must comply with this new law by October 1, 2017. The Act includes some important new requirements and a few modifications to existing laws regulating personal information.  These comprehensive new security requirements include mandatory security training, certifications and agency oversight. (See What’s Required of Contractors below.)

Briefly, the Act will:

  • impose extensive new security requirements on contractors that provide goods or services to the State of Connecticut;
  • require health insurers and certain other entities subject to the jurisdiction of the Department of Insurance to implement a comprehensive information security program;
  • modify the existing Connecticut breach notification law;
  • address state agency data security and data exchange practices; and
  • add new security requirements for smartphones sold to Connecticut purchasers.

This new law applies to all state contractors, health insurers and entities subject to Department of Insurance oversight, which may have access to personal, health or other confidential information.

What’s Required of State Contractors?

In every agreement where a state contracting agency may need to share personal information (PII), protected health information (PHI) or other confidential information (CI) with a contractor, the contractor must:

  1. take precautions to prevent a data breach;
  2. implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
  3. limit access to confidential information only as necessary to complete the contracted services;
  4. maintain confidential information on only secured servers or devises; and
  5. Alert both the state contracting agency and CT Attorney General of an actual or suspected data breach.

Contractors are required to have a data security program including:

  1. security policies for all employees to protect any personal, health or confidential information accessed, used, stored or transported;
  2. reasonable restrictions on accessing confidential information;
  3. at least once annually, policies and security measures must be evaluated and updated; and
  4. All employees with access to confidential information must be given security awareness training provided by the state contracting agency.

Important New Requirements for Security Breach Notifications

Many other federal and state laws already require many of the security protections required by this new law, however, not all laws are consistent and this law is intended to provide additional protections to state residents, as well as provide clearer breach notification requirements.

Data breach notification under this new law requires:

  • Notices must be provided to the consumers no later than 90 days after discovering a breach, unless shorter time notice is required under federal law; and
  • Notices must include an offer that includes identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least one year.
  • The consumer notification must also include information about how to enroll in the service and how to place a credit freeze on their credit file.

Comprehensive Information Security Program:

By October 1, 2017, any person or entity subject to the Act must have a comprehensive information security program in place to safeguard the PII, PHI or CI of insured or enrollees. Also, each company must certify annually to the Insurance Department demonstrating it maintains a program in compliance with the Act. The Attorney General and Insurance Commissioner will have oversight authority under the new law and may also request a copy of a company’s program to determine compliance.

The program requirements apply to every:

  1. health insurer, HMO, and other entity licensed to write health insurance in CT;
  2. pharmacy benefits manager;
  3. third-party administrator that administrates health benefits; and
  4. utilization review company.  Just like many of its federal counter-parts, such as health and finance laws like HIPAA and GLBY, each Security Program must be reviewed at least once annually, be in writing and include appropriate administrative, technical, and physical safeguards to protect data.

Of note is the additional provision prohibiting sales of new smartphone models in CT unless it has hardware or software that enables authorized user to disable smartphone’s essential feature.

Lastly, and very importantly, the Attorney General has the authority to investigate potential violations by State contractors and bring civil actions for violations.  So compliance and enforcement must be taken seriously.  The Act also empowers Department of Insurance to enforce the information security program requirements for health insurers and other entities subject to the information security requirements. State Department of Education can ban a contractor from receiving access to education records for up to five years if a breach involves the contractor’s access to education records.

_______________________________________________________________________________

In additional to our firm’s general counsel services advising diverse industry clients on a wide range of day-to-day legal and business matters, we have extensive expertise advising clients on best practices for avoiding cyber threats; and if the worse should occur, have extensive, hands-on experience guiding clients through the critical steps that must be taken to respond to security incidents and data breaches.  We welcome your inquires on this important subject and how our firm can help you avoid these risks.