Successor Liability – What is it and why should I care?

This blog post is prompted by an important, recent decision and case of “first impression” by the Connecticut Supreme Court containing valuable discussion of the special rules governing successor liability – Robbins v Physicians Women’s Health. (See case notes and citation below.) The following is oriented to Connecticut law, but many jurisdictions have similar rules.
file000821289525
How Successor Liability Arises – The General Rules:

Let’s assume a buyer wants to buy an existing business (or portion of a business). While there are many important considerations in a potential sale or purchase, successor liability (and how to avoid it) must be carefully considered. Agreements for business acquisitions are generally structured as either: (1) mergers or stock purchases of a company’s equity; or (2) purchases of the selling entity’s assets. Successor corporations may be liable for the debts and liabilities of the predecessor where there is a merger or consolidation of the two; or where there is a purchase of equity (corporate shares or LLC membership interests). Unlike most asset purchases where assets are typically transferred free of debts and liabilities. But care must be taken to ensure the right result.
Generally speaking, a purchaser can avoid successor liability by purchasing the assets of the selling entity, rather than purchasing the entity, itself. As the high court Robbin’s decision notes,” the general rules of corporate nonliability serve, in effect, as a security blanket to protect corporate successor from unknown or contingent liabilities of their predecessors”. But deals have to be structured correctly to avoid these perils and there are important exceptions.

Exceptions to the Rules Limiting Successor Liability:

As the Connecticut Supreme Court states in the Robbins decision, the rule limiting liability is nonetheless subject to four well-established exceptions. As successor corporation may be held liable for the debts and liabilities of its predecessor when: “(1) there is an express or implied assumption of liability; (2) the transaction amounts to a consolidation or merger; (3) the transaction is fraudulent; or (4) the transferee corporation is a mere continuation or reincarnation of the old corporation.”

The specific issue decided by the Supreme Court in Robbins was limited to: “Did the Appellate Court properly determine that the covenant not to sue executed by the Plaintiff in favor of a corporate tortfeasor does not foreclose imposition of successor liability, as a matter of law, on the subsequent purchaser of that company’s assets?” The Defendant in the case claimed the covenant not to sue executed by the Plaintiff in favor of a predecessor entity (Shoreline) prior to the acquisition by Physicians Women’s Health discharged any action against both Shoreline and its successors. The Supreme Court agreed.

The court found the covenant not to sue persuasive in precluding the Plaintiff from bringing an action against the subsequent purchaser, who later acquired Shoreline’s business. If you intend to purchase a business, it’s imperative that the purchase be structured to provide sufficient protections from these kinds of claims. And the old adage “Buyer Beware” always applies. Purchasers need to conduct appropriate levels of due diligence and have strong contractual provisions they can rely on after the closing to avoid the prospect of any later arising, expensive problems.

(Case Notes: The Robbins decision was published in 304 Conn. 926 and contains an interesting discussion of covenants not sue versus releases and various theories advanced by Plaintiff, including the liability of employers and joint tortfeasors under theories or respondent superior, which the court found unpersuasive “straw man” theories. The underlying case involved a medical malpractice claim that Plaintiff had settled with Shoreline where she provided covenants not to sue in connection with the settlement. Shoreline was later bought out by a successor medical provider and Plaintiff attempted additional recovery from Shoreline’s successor.)

 

HHS, OIG, DOJ & OTHER INDUSTRY LEADERS RELEASE COMPLIANCE GUIDANCE

If HHS or another regulator knocked on your door today – would you “pass” the audit?30647-doctors-and-nurses

On April 29, 2015, HHS (Dept. of Health and Human Services), OIG (Office of the Inspector General), HCS (Healthcare Compliance Association) and AHLA (American Health Lawyers Association) along with other industry leaders released a first of its kind joint collaboration education resource entitled “Practical Guidance for Healthcare Boards on Compliance Oversight” providing helpful tools for identifying risks, preparing for audits and responding to incidents. The document provides diverse tools and insights to governing boards, compliance officials and those reporting to them. Recognizing there is no uniform approach to compliance – no “one size fits all” approach, this multi-faceted guidance document will be a valuable resource for organizations both large and small to evaluate the scope and adequacy of their compliance programs.

In addition to asking the right questions of the right people to evaluate the risks posed to an organization, having an incident response plan before it’s needed is one of the best ways to ensure an organization can effectively respond to and recover from a security incident. Working with qualified legal and other professionals with strong compliance experience is one of the best ways to avoid problems.

This guidance emphasizes the importance of organization-wide accountability and offers decision makers a variety of tools to evaluate the effectiveness of policies and procedures within their organizations. The guidance – I believe correctly – concludes that asking the right questions is critical to staying ahead of problems.

The DOJ (Dept. of Justice) has also just released its guidance document entitled “Best Practices for Victim Response and Reporting of Cyber Incidents” providing practical advice for fending off and responding to cyber attacks. Offering guidance on what businesses should do before, during or after a cyber attack, DOJ outlines what’s expected in the event of a security incident, including the preservation of evidence and cooperation with their investigations.

As more and more healthcare and other entities are affected by illegal intrusions, these guidance documents offer practical advice for protecting against the ever present risk of cyber attack. An organization’s risk analysis (or lack of one) is a primary area of focus for regulators – knowing insufficient analysis to be the single, biggest culprit behind many known breaches. The absolute worst time to develop a breach response plan is after an attack – having the right people, processes and resources in place before it’s needed puts every organization in the best position to respond and successfully recover from a security breach.

With more than a decade of experience helping companies prepare for and respond to regulatory audits and security incidents, we welcome your inquires on how we can help.

HEALTHCARE DATA SECURITY

TODAY’S BIGGEST CHALLENGES

As recent news once again shows – no organization is safe from intrusion and healthcare has been a particular favorite for hackers. Huge amounts of personal, financial, health and other information was harvested in the Anthem breach with as many as 80 million personal and health records illegally harvested – and all without detection. As changes in federal and state healthcare legislation and new technologies abound, so does the threat of illegal intrusion and theft of vast repositories of personal patient information.

Internet lock

Not that long ago, medical records were stored in large, paper files typically free from intrusion unless thieves gained access to a medical provider’s facility. Not so today, as doctors and patients have many more ways of using and sharing information, including online patient portals (VPNs), large networked healthcare exchanges, digital medical records (e-PHI), meaningful use records (EMR) and cloud (Saas) technologies. Many of the newer technologies have been driven by Affordable Care Act (ACA) mandates and other regulatory directives to improve patient care and outcome.

Did you know?

1. Patient and consumer data are top targets for hackers.

Patient data is a valuable source of information for hackers – allowing quick sales of large pools of medical, personal and financial data to the highest bidder on the black market.

In the post-Target breach days consumers learned the lesson of judiciously reviewing credit card statements and credit reports to detect improper use of their credit. The same advice is prudent for consumers to periodically review their insurance billing statements and medical records for potential misuse. Credit cards often limit exposure to $50 or less, but identity theft is costly to fix and often takes years to correct. “Medical identity theft” the latest entrant – poses not only a significant financial risk to carriers and consumers, but more importantly can pose huge medical risks to patients in need of care. Imagine someone’s “medical identity – name, address, policy no., etc.” is stolen and someone posing as the patient receives medical care – unless quickly caught (and it often takes many months for it to be detected, if at all) this treatment and diagnosis becomes a part of the insured’s medical record posing potentially serious consequences to a patient.

2. Fraud and abuse has significant consequences on the quality and cost of care.

Fraudsters use patient medical identity to gain medical services, procure drugs, defraud insurers and benefit programs, as well as posing potentially life threatening outcomes for patients whose identity was stolen. The Medical Identity Fraud Alliance estimated the cost of medical identity theft at $20 billion last year (excluding the Anthem breach, which is largely conjecture at this time) and costs are expected to significantly rise. This figure doesn’t include physician fraud for improper billing practices under Medicare, Medicaid, False Claims Act or similar laws.

3. More HIPAA-related enforcement actions (with increased fines) are anticipated.

Federal and state agencies responsible for regulating healthcare from Health and Human Services (HHS) to Office for Civil Rights (OCR) Department of Justice (DOJ) and Federal Trade Commission (FTC) have announced aggressive audit plans to ensure patient data safety and limit fraud and abuse. And compliance audits won’t be limited to just “Covered Entities” – those with direct access to patients and patient data (hospitals, doctors and other direct providers), but also extend to “Business Associates” those with access to patient records, who provide services to Covered Entities. HIPAA-regulated entities not in compliance with the final omnibus rules implemented under the Privacy and Security Rules of the Health Insurance Portability Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) will be faced with higher fines and sanctions for non-compliance.

Since HIPAA’s enactment in 1996, Covered Entities (direct providers) face rigorous requirements for protecting patient information (PHI, PII, ePHI, EMR) and must have appropriate security practices to protect patient data. There are multiple layers of security protocols, including technical, physical, administrative controls, as well as general organizational requirements designed to protect patient data. Since the implementation of the final omnibus rules, HIPAA compliance now extends governmental oversight and liability to all sorts of other individuals, businesses and vendors engaged by Covered Entities as their “Business Associates”. Appropriate privacy and security standards must be in place and enforced to limit the ever present risk of cyber attack.

4. More private litigation by patients is likely.

Although the HIPAA statute itself does not give patients the right to sue for violations, last year the Connecticut Supreme Court in Byrne v. Avery (as well as courts in several other states) ruled that HIPAA’s lack of a private right of action does not necessarily prevent an individual from bringing an action under state law. While the contractual provisions of most data security agreements between CEs and BAs (Business Associate Agreements) typically contain language limiting the rights of persons who can assert rights directly against them – the end result of recent court decisions seems to be opening the door for individuals affected by breach to pursue remedies against Covered Entities and Business Associates directly.

5. ACA, Final Omnibus Rules and HIPAA Privacy and Security standards impact more than just healthcare providers.

Whether working within the healthcare community or another field entirely, every business must carefully evaluate the risks poses by a breach of its data – whether from outside threats (hackers), inside threats (employee human error) or risks posed by access to sensitive data arising from services by Business Associates (third party vendors). Under the final omnibus rules, many vendors and their subcontractors fall under the definition of “Business Associate” requiring the same rigorous compliance with HIPAA Privacy and Security standards required of direct healthcare providers. Knowing the rules and incorporating best practices to ensure data is secure must be a top priority for the healthcare industry and any downstream providers falling under the definition of Business Associate.

It’s incumbent on any individual or business having access to patient data (or any personal consumer data) to implement appropriate security practices and to investigate the practices of their subcontractors. All it takes is one mishap to be in the same position as Anthem and other healthcare providers who found themselves on the wrong side of this issue. In addition to conducting annual risk and compliance assessments, any individual or entity falling within the scope to the HIPAA/HITECH requirements should consider including or expanding cyber security coverage sufficient to protect against this increasing risk exposure – with many experts estimating the cost at $200/record for each record actually or potentially exposed to breach.

The healthcare industry and their downstream vendors can avoid trouble by:

1. Periodically assessing and addressing potential security risks;
2. Adequately training employees to understand the risks posed by the use of technology;
3. Adopting appropriate privacy and security practices;
4. Developing a Data Security Incident Response Plans with a team qualified to quickly respond if the worst should happen;
5. Adequately evaluating the risks and adding appropriate coverage for data security compromise/breach response costs; (or be prepared to self-insure);
6. Reviewing/updating all data security contracts to ensure they meet the new legal requirements;
7. Vetting all technologies and vendors to make sure they measure up; and
8. Appointing a qualified HIPAA Compliance Officer to ensure the required standards are met.

If you’re thinking you’re too small to be noticed, you’re not. There’s an abundance of reliable information available showing the true cost to those not in compliance or suffering a breach. The reputational harm posed by a breach or potential security incident can have devastating consequences for the ill-prepared. Our firm regularly provides compliance counseling, HIPAA assessments and training to help our clients avoid trouble. Having represented a number of companies hacked by off-shore organized crime, I can tell you a data breach, even a suspected data breach, is something you want to avoid. And all it takes is some careful analysis and planning.

We invite inquires on how we can assist with evaluating your needs in this critical area.

Succession Planning – Protecting Your Legacy

The Business Side of the Equation

A recent Forbes Magazine article highlights an important issue for all business owners – most don’t have adequate estate plans – in some instances not even a basic, current Will. Current stats on this show less than 50% of Americans have a Will and the business side the same trend with less than 50% of U.S. companies without adequate succession plans (sometimes no plan at all). Succession planning (and a personal estate plan consistent with it) is critical for businesses of all sizes. If the CEO or another key business leader in your organization became critically ill, suddenly departed or worse – then what?

This blog highlights how critical succession planning is to growth, sustainability and wealth preservation of any organization. My next blog will take a look at the personal side of the equation and the importance of completing personal estate planning tied to the goals of the succession plan.

Succession planning is basically the process of deciding who will lead an organization when a planned or emergency vacancy occurs in key leadership roles – someone becomes disabled, retires, passes on or suddenly departs under friendly or not so friendly circumstances. Over the past few decades as counsel to a number of closely-held entities, I’ve seen the good, the bad and the ugly on this issue. Business owners and those who rely on them suffer personally and financially if this important planning isn’t done. Businesses that fail to plan leave a lot to chance. A good succession plan will meet the needs of the organization, its key stakeholders, family members, employees, customers and others.

For closely-held and family-owned businesses, a business and the value of the business often represents the single biggest asset and most integral part of an owner’s wealth and financial security.

The Key Benefits of Succession Planning:

1. Preserving the value of the business by limiting (often eliminating) costly, disruptive disputes over who fills important roles and what direction the company takes in times of planned exits or unexpected exigencies. If the CEO or another key player is suddenly incapacitated or some other event forces an exit – then what happens? Are sufficient financial and human resources in place to be readily called upon to sustain business? No one wants to consider these issues, but it does happen and often without warning. In recounting just one instance of what can and does happen – a successful, closely-held business had misfortune strike without warning when company’s founding member & CEO passed away a short time after a stroke leaving grieving family members at an impasse over what to do. A key senior manager with more than 2 decades of experience at the company, the most ideal candidate to step in to lead the company, was “passed over” by the CEOs highly-political daughter, who appointed herself to “step into his shoes”. The fall out resulted in the senior manager and other employees leaving the company and customers concerned about the future. The end result of no planning was a lot of unnecessary damage to their business reputation and very public, costly lawsuits that ensued.

2. Smooth business transition and continued growth. Well-constructed succession plans provide the necessary framework for avoiding a lot of unnecessary headaches that can negatively impact a company’s reputation and bottom line. Completing this important planning gives employees, customers and decision maker’s confidence about the future – a key element of any successful businesses.

3. Enhancing continuity, goodwill and reputation of the business. A great deal of the value of a company is tied to its goodwill and reputation. These types of disputes drain resources, harm relationships and often lead to very public disputes by disgruntled employees, unhappy family members and customers. A great deal of effort went into building a successful business why leave it to chance. Succession planning is one of the most critical determinants of maintaining the value of a business now and in the future.

4. Tax Implications. Creating a tax advantaged plan consistent with both short-term and long-term goals puts the company in the best position for a possible third-party sale, internal succession by family members or employees (ESOP) or other strategies to enhance the bottom line.

5. Those who don’t do this planning leave a lot to chance. The cost of completing this process is far less than what’s lost by failing to plan and well worth a good night’s sleep, keeping good customers, happy employees and a sustainable future.

How do you get started? Working with a qualified legal and financial advisor with succession planning expertise is a great way to ensure the best result.

Digital Assets – Not Just the Here and Now

The reality – digital assets are a part of everyday life. And the need to protect them has never been greater. Planning for both the protection and conveyance of digital assets is more important than ever. While I’ve written extensively about the importance of data protection and cybersecurity here on my blog (Archives on: Data Protection: What Every Business Needs to Know; Steps Consumers Can Take to Protect Their Data, related topics and articles published in the Hartford Business Journal, Hartford Courant, Connecticut Law Tribune and others), digital information also plays great importance (or can cause a lot of problems) for family members, executors, heirs, care-givers and others after the here-and-now. This blog post highlights – why typical estate planning documents may not be enough.

Estate planning attorneys have always used a variety of legal documents to help clients and their loved ones manage assets (during incapacity) or transfer assets (after death) through the use of Powers of Attorney, Wills and/or Trusts. Another “tool” estate planning attorneys use is an inventory (or questionnaire) where clients identify all of their assets – real estate, personal property, health information, bank accounts, retirement accounts, life policies, retirement accounts, veteran’s benefits, intended beneficiaries and other important information necessary to assess and accomplish important estate planning objectives.

All too often Powers of Attorney, Wills and Trusts don’t say anything about “digital assets” – things like online accounts, passwords, security questions, files stored on computers or in the cloud, email accounts, social media sites, domain names, online digital photo albums – the list goes on… While a few states have enacted legislation enabling executors to have access to digital accounts, it’s a much more cumbersome (and often uncertain) process than it needs to be. In some instances, it may be a client’s wish (during incapacity or after death) that this information remain private and accounts terminated. In other instances, digital assets may have value (financial or emotional) and be important to convey to beneficiaries or successors of business interests. What happens to the face book or twitter account? What’s the password for online bank accounts, business urls or websites?

Depending on the number and nature of digital assets (which can change as often as accounts are added, modified or terminated), it’s important to keep an up-to-date inventory of these assets whether printed, stored on computer, smart phone or other devise, CD, DVD, flash drive or cloud. (Keeping in mind, of course, the importance of updating this information and protecting access with sufficient passwords, reliable vendors…) The person(s) selected as caretakers during incapacity or after death – executors, conservators or others will need to know the location of Wills, Trusts and other important estate planning documents, including the inventory of assets identifying accounts and, of course, any digital assets – such as online accounts and passwords. Unfortunately, many of the traditional estate planning documents prepared by attorneys today don’t adequately address “digital assets”. Adding even more complexity to the issue is the fact that many online vendors, such as twitter, face book, EBay, Google have a wide variety of differing terms of service “TOS” that can prevent or hamper a non-owner’s access. If it has to go to a probate court to get resolved, the Computer Fraud and Abuse Act, internet law, probate law and numerous other laws are also likely to come into play.

Living in today’s “digital age” means keeping track of this information and making decisions on how you want it to be conveyed, used or terminated (and by whom) with the right legal instruments in place to accomplish these important goals. Powers of Attorney, Wills, Trusts and other conveyance documents should be reviewed (and updated) every few years by a qualified estate planning attorney. If estate planning documents haven’t been updated in a while, you might also run the risk of having banks or others reject them as outdated or not covering a particular subject – such as online accounts. Many banks now require Powers of Attorney to be updated every year (some require every 2 years). I’ve seen many instances where banks, insurance companies and others rejected documents (often because they’re outdated or were prepared by clients themselves or other firms), because they didn’t specifically provide for access to online accounts (the same problem often comes up with safe deposit boxes and other depositories, because they weren’t specifically mentioned). In the past, there was an assumption that checking the box on the Power of Attorney giving authority for “all other matters” would be enough. Clearly, this catch-all phrase of the past has little to no legal significance today. While probate courts can and often do accomplish important things – they’re not known for acting quickly and anything coming before them is a public proceeding. Without clear, legally sufficient documents stating clear intentions about digital assets (and other property) – the door will be open to delays, uncertainty and the possibility of lingering entanglements with online vendors, banks, business partners and family members.

To make sure your intentions are carried out in the here-in-now and after-life will require a little more planning and the right documents in place. Digital assets are here to stay and need to be included in your planning decisions for now and the future. (Preventing identity theft when it’s been more present than ever and privacy considerations must, of course, be considered to keep the information properly protected.) We welcome inquiries on our estate planning, data protection and businesses succession services, as well as requests for our articles and guidelines on these important topics available to the public on request.

A NEW BREED OF SOCIAL ENTREPRENEUR

CONNECTICUT WELCOMES “BENEFIT CORPORATIONS”

If you haven’t seen it yet, there’s a new choice for socially-minded entrepreneurs – Benefit Corporations. This new form of entity gives socially-minded businesses a better opportunity to pursue and promote both more traditional, “for-profit” ideologies along with other important “non-profit”, philanthropic, social and environmental missions. Connecticut along with a growing number of other states recently adopted legislation permitting this new form of legal structure.

The idea isn’t really that new. Many companies, in addition to having clear for-profit objectives, support any number of important local, national and international missions. A growing number of companies across the U.S. (like Patagonia – one of the first U.S. companies to convert to a benefit corporation) wanted to do more by closely examining and improving the impact their products and services had on their employees, communities and the environment. The key difference between this new concept and more traditional corporations is a deliberate move from purely, profit-driven decision-making to taking into account environmental impacts, employee well-being, service to under-served populations, human health, economic opportunity for less-privileged, or promoting the arts, sciences or education. Benefit corporations are essentially “for-profit” companies committed to adopting measurable ways of improving their impacts on society. And there’s accountability for how well they do in meeting these objectives.

The new Connecticut law allows companies (like C-corps., S-corps, LLCs and other types of business entities) to convert to or create a newly formed “Benefit Corporation”. A main feature of the Benefit Corporation is the requirement for it to exercise a new and different type of “business judgment” that includes a statement of its “social” or “environmental” goals with some transparency in measuring whether those goals are met. In addition, Benefit Corporations must appoint a “Benefit Director” responsible for an annual report on whether the “public benefit” stated by the company has been met and, if not, how the directors failed to meet their stated goals. This new legal structure carries a higher burden than its more traditional counter-parts by imposing additional, transparency and reporting requirements. For organizations with important missions to carry out ranging from philanthropy to environmental sustainability (in addition to making a profit), benefit corporations may be the right choice.

(Additional Note: Companies choosing this form of new business structure may also want to consider obtaining the additional “B-corporation certification” offered by B-lab, an international, non-profit company based in the U.S. that certifies compliance. The author has no relationship with B-lab and offers this note to point out that the certification by this lab is not required, but may be beneficial for some entities.)

A Business Lawyer’s Inside Perspective on Avoiding Lawsuits

You can’t start or run a business without facing some risks. One of the main reasons businesses choose to incorporate (or create some other form of business entity) is to limit their personal liability – so shareholders (owners) won’t have their own personal assets at risk for the corporation’s debts and liabilities. Having advised a diverse group business and industry clients over the past 20 years, there are a few things (often avoidable things) that get companies into trouble – sometimes big trouble. With businesses facing many more, “modern” risks today (as well as the old, more traditional ones), the saying “an ounce of prevention is worth a pound of cure” applies now more than ever.

Here’s my Top Ten for staying out of trouble:

1. Forming the business entity correctly. Choosing the right entity, making the necessary public “organizational filings” and attending to all of the other required regulatory and corporate governance documents is often one of most under-appreciated, misunderstood parts of starting and running a business. Businesses that don’t do it correctly can (and often are) faced with claims against their personal assets – only discovering when it’s too late that personal assets are now at risk. Not following the rules set out by state statutes where businesses are incorporated and doing business can result in what lawyers call “piercing the corporate veil” putting personal assets at great risk. These risks can be avoided if companies are set up correctly and follow the legal requirements needed to enjoy the protections afforded by them.

2. Get it in writing. Is there a binding contract or was it just an offer? Are the terms complete and accurate? Does the Uniform Commercial Code (UCC), statute of frauds or other special rules apply? If there isn’t a “sufficient legal writing” evidencing clear contract terms accepted by the parties, you might be leaving it up to a court of law to sort it out and then be stuck with the results. Good relationships, hand-shakes and emails are great ways to do business, but without the right documentation, it can quickly become a big disputed “he said – she said” situation where nobody really wins.

3. Using clear, concise language is a great way to avoid misunderstandings that lead to disputes or lawsuits. All too often busy professionals use contract templates and “boiler plate” language they’ve “borrowed” from some other transaction. These “templates” may (nor may not) have some good basic provisions, but if they aren’t carefully read or adequately modified to reflect the deal you’re doing; that can spell trouble. The best contracts contain a clear statement of the parties intentions, including who the parties are (yes, even this is sometimes incorrectly stated or overlooked), specifics outlining the transaction, the business terms, payment obligations, default provisions and legal rights and remedies of the parties. Having clear language is one of the best ways to avoid problems and get issues quickly resolved.

4. Know the rules. Every business is governed by some kind of federal, state, foreign or local regulation. Getting all the necessary approvals, licenses or permits before starting operations (and maintaining them) is critical. Organizations that don’t know or play by the rules are often faced with fines and enforcement actions by regulators, law enforcement, attorney generals and others; and along with fines, be subjected to license suspensions, business closures or other very public actions sometimes with crippling results.

5. Know the risks posed by technology. Protecting data is one of the biggest risks faced by businesses today. Not surprisingly, data theft and cyber security continue to be at the top of the list of concerns identified by businesses and consumers locally and globally. As the number of devices and ways of communicating grows so will the risk. No business or industry is immune from the need to protect its data. It’s not just big, heavily-regulated industries (like healthcare, financial, retail and IT sector clients) who have a growing number of federal, state, international and other industry specific regulations impacting their operations. The need to protect data security impacts the even the smallest Mom & Pop shops. For big business and small business alike, knowing and following the rules is crucial. Recent insurance industry data shows 60% of small businesses impacted by data breach out of business within a year of attack and cyber criminals have learned they’re often easy targets. The costs of responding to a data breach are significant and greatly outweighed by the modest time and resources needed to develop adequate data protection policies to help protect again this all too present problem.

6. Protecting hard-earned “proprietary” information from theft or misuse by others is critical. Every organization needs to identify and take steps to monitor and protect its trade secrets, inventions, business formulas and other proprietary information. Using properly drafted agreements (Non-Disclosure, Confidentiality and Non-Competes, etc.) along with appropriate proprietary filings (patents, trademarks, online registrations, etc.) can provide some good protection, but care must be taken to ensure they’ll be enforced if subjected to legal challenge.

7. Insufficient funding continues to be one of the big reasons new businesses fail. Without adequate financing, paying the landlord, suppliers and employees may be impossible leaving the door open to lawsuits, judgments a lot of other un-pleasantries. Starting out with sufficient capital along with good financial planning and accounting practices is one of the best ways to ensure the on-going success of a company and avoid lawsuits.

8. Having the right team of advisers at the outset and along the way (before any big problems surface) is one of the best investments you can make in the success of your business. A well-qualified business attorney – one with years of experience and proven successes – can do a lot more than just set up a company and draft a contact. The best business attorneys will come equipped with strong business acumen, broad legal capabilities and the deep, industry-specific knowledge needed to advice clients on wide variety of issues impacting their business and industry.

9. Adequate insurance coverage. With the growing number risks businesses face today, sufficient coverage to protect against the most likely, potential risks associated with a particular industry is critical. When choosing coverage, it’s important to have a clear understanding of what’s covered and what’s not to avoid unpleasant surprises. Too often policies aren’t read or understood until there’s a possible claim – sometimes resulting in too little, too late.

10. And my last bit of advice, “always follow your gut”. On more occasions than I’d care to re-count, prospective new business clients contacted me and began the conversation with “Something just didn’t seem right” and, of course, they proceeded anyway – now needing the services of legal counsel (sometimes at significant expense) to clean up the aftermath. I believe this rule is as important in life as it is in the law that is to say – trust your instincts. Because if it walks like a duck and talks like a duck – well, you know the rest of the saying…

As the year comes to a close, we wish you a wonderful holiday and new year!

As always, we invite your requests for topics here on our blog & information about our services.

National Cyber Security Recognition

In recognition of National Cyber Security Awareness Month and our firm’s commitment to bringing about more awareness to this critically important issue, we provide our readers with insightful tips on how to stay ahead of this all too pervasive issue. Unfortunately, too many think data breach is a big business problem when, in fact, their small and mid-size counterparts are more likely – not less – to be attacked. And attacks by outsiders on the internet and cyber criminals are only a part of the problem.

Did you know…

  1. More than 50% of data breaches can be attributed to the unintentional behavior or negligence of employees in the workplace. Common examples include an employee inadvertently opening malicious email that upon closer inspection would have raised a red flag – wreaking havoc on computer systems and often resulting in the silent harvesting of private company or customer information or failing to log-off leaving information open and exposed to potential misconduct by others. More intentional misconduct must also be guarded against when, for example, terminated employees who might be looking for retribution still have login credentials or other access to company or personal information.
  2. A staggering 60% of small businesses suffering a data breach will be out of business in less than 6 months following an attack (according to the Experian Data Breach Study in 2013 and other national sources). The cost of a data breach is not small and goes far beyond fines imposed by regulators, card brands, Attorney Generals or others. The typical response cost is now estimated at about $181 per record. For even the smallest breach, this quickly adds up with estimates for a small business data breach on average costing from $500,000 to $1,000,000 or more. In addition to the costs necessary to investigate and resolve a breach, the harm to a company’s reputation following attack is next to impossible to calculate – often resulting in staggering consequences for the ill prepared.
  3. Over 70% of security breaches are targeted on small businesses or particular industries. Retail, healthcare, hospitality and financial sector businesses have been particularly hard hit sectors and are often prime targets for cyber criminals. Attacks on small business aren’t usually the result of an attack on that particular, individual company, but more likely occur from the large, sweeping, phishing attacks cyber criminals make on industry sectors (retail, Mom & Pop shops and restaurants are among favorites) where hackers have correctly assessed these smaller businesses are less equipped to defend against attack.

The Best Defense to Cyber Attach includes:

  1. Creating a “culture of cyber security”. Everyone in the workplace must be adequately trained and aware of the potential risk of cyber attack. For even the smallest employer, Data Protection Policies suited to the particular industry risk and job function of their employees must be developed, monitored and enforced in order to protect against both inadvertent or more intentional use or abuse of sensitive, internal company information or customer personal information.
  2. Having a Response Plan in place can minimize the impact of a breach. Hacks, breaches and other cyber crimes happen out in the world every single day; just as fires, floods and other losses occur every day in the business world. In addition to training and adequate policies, every business needs a Data Security Response Plan outlining the important steps that need to be taken when a breach has occurred or is suspected. Too many small businesses are blind-sided when breach occurs and are fasted with too little too late in the eyes of regulators and others. With so much at stake, every business needs to be prepared. No business can assume it won’t happen. With the tremendous growth of insurance products coming on the market to cover a data breach losses, businesses may want to purchase coverage, but care must be taken to review what’s covered, what’s not, whether there’s coverage under existing policies and the insured’s responsibility for meeting the applicable data protection standards before coverage is available in the event of loss.
  3. Lastly, having the right team you can quickly call upon to assess and respond to a breach is critical. If and when the worst happens, having a plan in place means you won’t be consumed by the aftermath and have the right resources in place to assess and resolve the issue as quickly and favorably as possible.

This article was written by Attorney Tegan Blackburn, who focuses her law practice in Simsbury, Connecticut on Business & Corporate Law, Compliance Counseling, Commercial Transactions and Data Breach Response. She is General Counsel and Chief Compliance Officer to various IT, healthcare, retail and other industry clients and has been called upon to resolve data breach incidents in Connecticut, as well as acting as a consultant to other firms in and out of the New England area. This article is intended as general guidance and is not legal advice. The reader should consult with an attorney regarding their particular situation.

Other online resources are available at the National Cyber Security Alliance and at:
http://www.staysafeonline.org
http://nist.gov
http://stopthinkconnect.org

Why Everyone Should Have a Will

By most estimates, less than 50% of Americans have a Will or some other testamentary device.

Some compelling things to consider,

  1. Without a Will (or some other testamentary device) the state you reside in will decide for you who gets what and who’s in charge of your estate. Whether you have a small estate or a large one, unless you have a valid Will, Trust or some other testamentary device, the state formula outlining distributions for “intestate estates” (those with no Will) will be used for distributing your property to your heirs. For those married at the time of death if there are other living heirs (such as parents, children or grandchildren) in many states the surviving spouse will receive only a portion of the decedent’s estate. In Connecticut, what a surviving spouse receives under “intestate succession” laws (the leaving no Will formula) depends on whether or not there are living parents, children, grandchildren or great grandchildren. Needless to say, this can cause lot of unpleasant surprises for a surviving spouse, other family members and a lot of unnecessary inter-family conflicts. The formula used in Connecticut can be viewed at Conn. Gen. Stat. Sec. 45a-437(b) – 45a 438 www.cga.ct.gov and will give you an idea of just how many different scenarios you might be dealing with after the death of a family member who left no Will.

    “Not having a Will leaves a great deal to chance

  2. When there is no Will (or the Will cannot be located) surviving family members and friends are often left behind with different views of your wishes. Stating your wishes in a legally binding way with a Will (sometimes in combination with other testamentary devices) will help avoid the contests, fights and uncertainty that often arises when there is no Will. For those who have a Trust or other instruments making beneficiary designations, having a valid Will can also help in situations where property wasn’t properly titled and transferred to the Trust or beneficiary designations or updates weren’t made.
  3. Why should everyone have a Will? Making a Will is not just for those in later seasons of life. For those who are married, widowed, have young children, have accumulated some assets, or are in, or approaching retirement having a Will is one of the best ways to ensure those you leave behind won’t be left with a lot of uncertainty and turmoil about what the future holds. Are you willing to leave it to chance? Having a Will benefits everyone.
  4. What should be in a Will? Specifying who’s in charge of handling your estate by appointing someone you have confidence in and an alternate to act as the Executor is a good place to start; when there are minor children appointing a guardian is recommended to help avoid inter-family contests and disputes over who should be given this important role; if there are special needs for particular family members this should be considered (if unequal distributions or provisions are being made it’s good to say so and why); if there are business interests at stake making sure the Will is compatible with the company’s succession plan is critical to avoid potential conflicts with business partners; identifying any special gifts that you’d like to make; and lastly specifying how you would like your real estate, personal property or other property divided and distributed to your heirs, others or charitable causes are among the most often included provisions of a Will.
  5. What will your legacy be? Your legacy is more than just what you’ve acquired during your lifetime and the property you leave behind for others. Leaving family members and loved ones with the confidence of knowing your wishes and settling your affairs without a lot of unnecessary problems is one of the most important reasons for preparing a Will. Too often this important topic and preparing a Will is put off for another day. Why wait – when one of the best legacies you can leave is having a valid Will describing your wishes so family members aren’t left with the additional burdens of sorting things out after you’ve gone or learning when it’s too late they won’t be entitled to what they expected from your estate. It’s extremely important that your Will be validly created and can be located when needed. It’s best to consult with a qualified estate planning attorney to ensure your Will isn’t subjected to legal questions about its validity and includes everything that’s appropriate for your situation. For those who created Wills sometime ago, it’s good to review your Will every few years to make sure it still meets your needs.

This article was written by Attorney Tegan Blackburn, who concentrates her law practice on Estate Planning, Wills & Trusts, Probate, Succession Planning, Business & Corporate Law, Real Estate and Family Law. This article is not intended to be and should not be construed as legal advice and the reader should consult with an attorney concerning their particular situation.

Health Law News

HIPAA OMNIBUS COMPLIANCE – COVERED ENTITIES AND BUSINESS ASSOCIATES

Sweeping changes to the HIPAA/HITECH (Health Insurance Portability and Accountability Act “HIPAA” and Health Information Technology for Economic and Clinical Health Law “HITECH”) changes came into play September 23, 2013. This long anticipated final omnibus rule greatly expands the reach of those directly liable under HIPAA. Under the new rules, healthcare providers who are “Covered Entities” (covered healthcare providers, health plans and others defined in the rule) must update their Business Associate Agreements (See Note 3 below). “Business Associates” are now directly liable for any breach of protected patient health information (PHI) and must comply with the rule changes concerning sub-contractors and their own obligations to protect PHI.

Entities with compliant Business Associate Agreements in place before the rule change have until September 23rd of 2014 to update agreements to bring them in line with the new requirements. Business Associates must also enter into Business Associate Agreements with sub-contractors and should exercise great care in vetting new hires and compliance by their sub-contractors. Other professionals such as attorneys and financial advisors working with regulated entities, who are not directly characterized as Covered Entities or Business Associates must exercise care in accessing, using or transmitting any confidential, protected information so as not to expose themselves or clients to potential violations. Periodic training to those handling PHI and conducting regular audits of all systems and processes involving PHI will help minimize any accidental violation of the rules.

In large part, the new omnibus rulemaking was driven by the massive amount of patient health information (PHI) shared by healthcare providers and their vendors through open networks, e-transmissions, digital media, mobile devises, and e-health exchanges, therefore, leaving the door open to additional vulnerabilities to PHI during use or transmission.

Key changes to the HIPAA rules include:

  1. Expanding Privacy, Security and Breach Notification Policies and Procedures (with new form and work flow requirements for some providers). Breaches are now presumed reportable unless after completing the mandated risk analysis (defined by 4 factors) the entity has determined that there is a “low probability of PHI compromise”. The rules do not modify the actual reporting requirements. Covered Entities and Business Associates must still adhere to providing individual notifications, HHS notifications and where applicable media posting of the breach.
  2. Notices of Privacy Practices (NPPs) must be amended to reflect major changes in the rules concerning breach notification, disclosures to health plans, and marketing and sale of PHI. Updates to NPP policies should be posted to a healthcare provider’s website and adhere to other requirements of the privacy rules.
  3. Business Associate Agreements (BAA’s). The new rules greatly expand the universe of individuals and entities that will now be treated as “Business Associates”, including health information exchanges, e-gateways, personal health record vendors and others. Covered Entities have until September 23, 2014 to bring all of their existing BAAs into conformance with the new rules. (The September 23, 2013 compliance deadline affected Business Associates not yet under contract as of that date.) Those characterized as “Business Associates” under HIPAA will now be directly liability for any compromise of PHI and must comply with all of the privacy, security and breach policy amendments of the rules or suffer the consequences.

Next Steps: Some of the most sweeping changes to HIPAA privacy and security rules expand the obligations of Business Associates making them directly liability for any compromise of PHI. Covered Entities and Business Associates should immediately take steps to ensure that their Business Associate Agreements (including those with sub-contractors) are fully compliant with the new rules. Additional care should be taken to ensure that updates to privacy practices and work flows are actually being carried out. Those covered by the final omnibus rule must conduct periodic audits and training to ensure that all systems, processes and devises accessing, using, transmitting or storing PHI fully comply with the new HIPAA/HITECH standards. With the potential for $1.5 million in fines, not to mention serious damage to a provider’s reputation, these new rules must be taken seriously.

Note: This commentary is not intended to and should not be construed as legal advice and is provided only as a summary of key changes to HIPAA/HITECH.

Last Updated (Tuesday, 18 February 2014 09:14)