You’ve been hit with Ransomware – Now what?

You’ve been hit with Ransomware  –  Now what? And is it a reportable breach?

Well, that depends.  Given the dramatic rise in ransomware attacks recently, many regulators have issued formal guidance that it’s presumed a reportable breach.  That is, unless you can prove otherwise – prove being the operative word here. If you haven’t taken a look at our blog post, below, on the “Alarming Increase of Ransomware” and what you can do to avoid it, please take a moment to review our important recommendations.

To determine if a ransomware attack is a reportable breach under privacy and security laws such as HIPAA/HITECH Privacy and Security Rules and other consumer protection laws, we have to start with how a breach is defined.  Under HIPAA laws, a breach is defined: as the unauthorized or impermissible “acquisition, use or disclosure” of protected health information (“PHI”), which compromises the privacy or security of the protected information.  Many other privacy and security laws governing protected information have similar definitions that boil down to whether or not personal, health or other confidential information (“PII”, “PHI”, ePHI or “CI”) was compromised or compromise would be likely.

There are now at least 200 different “families” (variants) of ransomware, some more sophisticated than others. The most commonly used ransomware “wraps” encryption over data locking users out of infected devises or networks (through a locking devise the attacker controls).  An attack doesn’t necessarily mean that confidential data has been accessed, used or viewed, but an analysis is required by many federal and state privacy and security laws and you don’t want to get it wrong.  And there’s newer ransomware out there that’s doing more than just encrypting, it’s pulling information such as the amount of records encrypted or other information so they can charge a higher ransom.

THIS IS NOT A SCREEN YOU WANT TO SEE!

your computer has been encrypted pic

 If you visit the websites of many federal and state regulators, including HHS, OCR and the FBI, you’ll see just how serious and prevalent this problem is. Attackers especially like targeting hospitals, government agencies and others with critical or sensitive information, and many are using newer versions of ransomware, hybrid ransomware, which infects a system, but stays quiet behind the scenes loading other malware that allows data to be viewed or accessed by other third parties.  Cyber thieves are known to advertise on the Dark Web auctioning off information and access to the highest bidder (in the same way pools of stolen credit card information are illegally auctioned off to the highest bidder).  By providing access to confidential data to other unauthorized users,  the definition of breach is met.  In guidance released late last year, HHS announced that “the presence of any ransomware (or any malware for that matter) on a covered entity’s or business associate’s computer is a Security Incident under the HIPAA rules, and therefore, requires prompt investigation, remediation and possible notification.  Once the ransomware is detected, the affected entity must promptly initiate the required security analysis and reporting procedures. See 45 C.F.R. 164.308(a) (6). Whether or not the presence of ransom ware would be a reportable breach under HIPAA or other security laws is a fact specific question.  Know what’s required!

Which begs the question – how does an organization prove protected confidential data wasn’t improperly used or compromised?  (Or whether it was and must be reported!) It may not be fast or easy, but it’s in organization’s interests to quickly take steps to determine (and document) its findings.  In its recent Guidance, HHS has taken the position that unless the affected entity can demonstrate that there is “… low probability that PHI has been compromised”, based on the HIPAA Breach Notification Rule factors, a breach is presumed.   If other types of regulated personal data are potentially at risk and it can be established (and documented in a justifiable, reasonable way) that ransomware only wrapped or encrypted data and the data was never viewed, used, accessed or moved off servers or devises, it may not be a reportable breach, but you have to get it right. (The exact type and variant of malware and exfiltration attempts and other information is critical to verify.)

The affected entity should immediately put its Incident Response Plan into action.  (Let’s hope there is an Incident Response Plan, as this isn’t the ideal time to try to figure it out.  And I’d like to point out that everyone regulated under HIPAA and many other similar laws is required by law to have an incident response plan and have other security steps in place such as training all workforce members annually.  Big fines will be coming to those who don’t take this seriously and don’t have legally compliant plans in place.)   Besides the many smart business reasons to establish an incident response plan, many federal and state laws require it.

Ransomware attacks in the healthcare sector in particular and other organizations holding confidential data are becoming much more common and sophisticated.  The consequences of a ransomware attack on the delivery of healthcare and other critical systems is staggering – computer networks and devises are immediately locked down, preventing access to data and systems with potentially catastrophic results.  It’s critical to respond quickly when a suspected or known security incident occurs.  And if it’s a ransomware attack, the consequences will be immediate!

Training employees on what to look out for is critical – and required!

bad guy pic

Defending against security risks must be a top priority for every organization.  HIPAA and other similar laws require ALL workforce personnel with access to systems and data to be trained at least once annually.  This is the first thing regulators will look at and the best way to avoid attacks.  If training is deficient, or all workforce members aren’t being trained annually, then big fines and other sanctions will be imposed.  Proper training is the single, most important part of protecting your organization from ransomware and similar cyber threats – make sure every person with access to a computer system or devise is trained on what to look out for!  Most security incidents are avoidable and result from the “human factor”: someone opening something, clicking without thinking and now it’s too late – systems and data are compromised or worse. Preventing attacks is a far better way to go and far less costly proposition than reacting after an attack occurs.  I’d also like to point out that if you elect to pay the ransom, there’s no guarantee the data will be there or won’t be compromised.  The FBI and many other regulators recommend not paying ransom to hackers as a disincentive to the huge number of attacks occurring and provide the same caution we do that the data may not be there even after you pay up.   There’s no guarantee.  Following the advice we’ve outlined for avoiding the problem in the first place and having a back-up plan ready, just in case (See our July, 2016 Client Alert) is a far safer, better way to go.  ______________________________________________________________________________

In addition to acting as general counsel and compliance officer to diverse business organizations, we’re frequently called on to advise clients regulated under HIPAA/HITECH laws on the best ways to assess risks and ensure compliance; and if the worst should happen, how to respond.  We welcome your inquiries on our general business and corporate legal services; and would be glad to speak with you specifically about how we can help your organization with avoiding these costly, disruptive problems.

Tegan Blackburn LLC       www.teganblackburn.com             All Rights Reserved.

National Cyber Security Awareness Month

National Cyber Security Awareness Month recognized every October is a collaborative effort between government and industry to ensure everyone has the resources to stay safe online.  Now in its 6th anniversary and with more and more sophisticated cyber crime attacks affecting individuals and organizations of all sizes from large to small – Be Cyber Savvy.  Cyber crime affects us all, not just the highly publicized targets we keep hearing about.  Learn what you can do and STOP and THINK before you CLICK.   nat-cyber-sec-mo-download

Anyone can be a victim of cyber crime, which can result in stolen IP, theft of personal information, disruption of computer systems and critical services; not to mention the high costs of responding to incidents and ransom demands made by cyber criminals who’ve locked down your computer or network until you pay up.  Ransomware attacks alone (those that are known and reported) have greatly increased in number and sophistication this past year with some 200 new types of ransomware now lurking online. The FBI reported 300,000 complaints to its cyber crimes unit this year totaling over $800 million in losses.  Congress reported 300 billion of losses nationally due to cyber theft this past year.  Every U.S business and individual with a devise and online access needs to keep up with what’s going on in cyberspace and the latest threats from ransomware to spear phishing – and learn what you can do to stay safe online.

Recognizing the problem is the most important part of fighting the problem.  So before you open it, STOP & THINK, before you CLICK. If you’re in a leadership role in a public or a private organization and would like more information what you can do to avoid these ever-present threats, we’d be glad to help you with adopting the right employee awareness training and risk management techniques to keep your organization ahead of these costly, unnecessary problems.  It’s imperative that organizations keep themselves abreast of developments in cyberspace and establish suitable defenses.  Have you taken the right steps to protect yourself?

Defend Trade Secrets Act of 2016

Important new federal legislation, Defend Trade Secrets Act (“DTSA”) has been signed into law.  The most significant change of this new law is trade secret owners may now bring a civil claim for misappropriation of trade secrets to federal court. Prior to this legislation, trade secret theft was governed exclusively by state law resulting in wide variety of outcomes and uncertainty.  Another significant change under the new federal law is the right, in extraordinary circumstances, for an ex parte seizure order; if certain specific findings are made, showing: (1) a temporary restraining order or another form of equitable relief is inadequate; (2) an immediate and irreparable injury will occur if seizure is not ordered; and (3) the person against whom seizure would be ordered has actual possession of the trade secret and any property to be seized. This new federal law doesn’t preempt state laws.  It provides trade secret holders with important, additional recourse, more uniformity and access to federal courts.trade-secrets-pic

The single most important part of this new legislation requires employers and contractors to provide a specific “whistleblower clause” (or reference to it) in every contract with employees or independent contractors governing trade secrets, proprietary rights or confidential information in order to recover critically important damages – such as punitive damages or attorney’s fees. Unless employers provide the prescribed notice in every contract with their employees or independent contractors they waive these incredibly important rights. The one immediate step we’re recommending is for all Non-Disclosure Agreements, Employee Policies and Procedures or other Confidentiality Agreements to be reviewed and updated to include the notice language required by the statute.  Otherwise, a sizable element of potential recovery in every successful trade secret case will be forever lost.

A brief re-cap of this new legislation includes:

The first group of new enactments includes a number of more technical provisions such as re-defining “trade secret” and “improper means”; clarifies that ex parte seizures may only be instituted for a limited and defined set of circumstances; and directs the Federal Judicial Center to develop best practices for the execution of seizures and the storage of seized information.

The second group of enactments provides protection to whistleblowers, who disclose trade secrets to law enforcement in confidence for the purpose of reporting or investigating suspected violations of law, and outlines protections for confidential disclosures of trade secret in lawsuits or anti-retaliation proceedings.  The statute, importantly, extends immunity under both state and federal laws in both civil and criminal proceedings.

We’d be glad to assist clients with reviewing and updating documents to ensure these important protections are included in all applicable confidentiality agreements.

________________________________________________________________

Attorney Tegan Blackburn regularly counsels clients on wide range of sophisticated business and corporate matters, including advice on protecting their assets and “secret sauce”, trademark registration and infringement issues, regulatory compliance and a wide range of contacting issues.

(Note: This new law is based on a number of the provisions of the Uniform Trade Secret Act of 1985, adopted by several states, which was intended to provide better trademark protection and more uniform standards to trade secret holders doing business in multiple states.)

Tegan Blackburn LLC         All Rights Reserved.

The Latest Security Threat – Ransomware

Ransomware Increasing in Alarming Numbers

The growing sophistication and volume of cyber security threats is a serious, ever-present risk.  Here’s the latest one – ransomware.  Today’s blog will help you understand what this latest threat is, how to avoid it and if the worst thing happens, how to respond to it.

Just how serious is it? If you visit the websites of any federal regulators or enforcement agencies such as the FBI, HHS, OCR or the Secret Service, you’ll see what a big threat this has become – some estimating a 3,500% increase of ransomware just this year.  Readily available, free open source code makes for easy exploits by cyber thieves. With the return on investment for cyber criminals very high, everyone from mom and dad to the local grocer, as well as big business is at risk.

bad guy pic

There are a lot of different types of ransomware out there, but all of them have the same purpose. And it’s pretty much what it sounds like – they kidnap your data, leaving you at the mercy of criminals, who’ve taken over and locked down your computer (using an encrypted locking device) until you pay up.  This is just the latest in highly profitable criminal enterprises out there lurking on the internet, hitting businesses and individuals alike with software capable of locking down a computer or entire computer network with just one wrong key stroke.

The typical way ransomware takes over is by:

  • Drive-by downloads – all it takes is a visit to malicious website, clicking a pop-up ad or opening an infected email attachment. This often called the “human factor” – people clicking before thinking, not taking a moment to consider if what they’re about to open is legit.  Click, and it’s too late, they’ve taken over and locked you out until you pay up.
  • Exploiting program vulnerabilities if you don’t run and update anti-virus and malware detection (settings to automatic updates is best); you’ve left the door wide open to cyber criminals gaining easy entry to your computer system.   The hackers and crackers, or whatever you want to call them, aren’t targeting you, they have malware spiders and bots running behind the scenes 24/7 looking for any open doorway.

 To up the ante, criminals often use scare tactics displaying logos and images of known law enforcement agencies threatening punishment or imprisonment if payment isn’t made.  All of this works at lightning speed and without warning.  As soon as the pop-up ad, email attachment or link containing ransomware is opened, everything is immediately encrypted preventing access to the computer or network.  The attacker then demands payment (usually requiring purchase and delivery of unregulated bit coins) before giving you the decryption key that, presumably, allows access to the computer.

What can you do to avoid this?    computer locked pic                                      

  1. Always back up your data: Frequent (sometimes redundant) backups of data is the best policy – if the worst happens, your data can be promptly restored.
  2. Think before clicking: Don’t click pop-up ads, open attachments or unrequested links unless you know and trust the source.  A lot of these infected emails and links contain red-flags and everyone should be trained on what to look out for.
  3. Secure your PC: Make sure you run and update adequate anti-virus and malware detection software on all systems. Check all system settings so they automatically update and apply appropriate patches.
  4. Don’t Pay: If you think you’ve been the victim of ransomware attack, don’t panic and rush to pay. There’s no guaranty after making payment that your computer’s functionality and files will be restored. In some instances, more recent less “robust” versions of this malware delete all your data so even after you pay up, there’s no guarantee your data will be here. In some instances the Secret Service, FBI or other law enforcement officials should also be contacted.  These agencies typically recommend not paying up as a disincentive to the bad guys, who are often here and gone, beyond the reach of U.S. officials.  (Our next blog will discuss the intricacies posed by a number of federal and state privacy, security and breach notification laws such as HIPAA, which may require notifications and additional steps to be taken.)

If you’ve done what we recommend, frequently backing up files and programs, then using your own resources to quickly restore functionality is a far better way to go than negotiating with criminals and hoping for the best.  Of course, avoiding the problem all together is the goal and we’d be glad to assist.

_____________________________________________________________________

Our firm frequently advises clients and provides training on how to avoid these all too present security threats, and if the worst should happen, how to respond.  We welcome your inquiries on our business and corporate legal services; and would be glad to speak with you specifically about our extensive background and expertise helping clients develop and implement the best practices, policies and procedures to avoid these unnecessary, costly problems.

Tegan Blackburn LLC                      www.teganblackburn.com            All Rights Reserved.

New Connecticut Law Restricts Non-Compete Agreements with Physicians

New legislation significantly changes the law regarding covenants not to compete involving physicians.  This new law effective July 1, 2016 (Public Act 16-95) is intended to increase competition among healthcare providers.  While there has never been a really bright line rule for enforcing non-competes in Connecticut, and elsewhere, courts typically considering the “reasonableness” of the restrictions imposed.  With this new law, Connecticut now has a bright line rule limiting physician non-competes to no more than: (a) 1 year; and (b) 15 miles from the “primary site” where the physician practices.non compete pic

The reasonableness standard that has always applied to non-competes will continue to be important.  In any enforcement action, physician non-competes will continue to be enforceable only if: (a) necessary to protect a legitimate business interest; (b) reasonable in limiting time, geographic scope and practice restrictions; and (c) otherwise consistent with law and public policy.  An important drafting note for non-competes and when making hiring decisions is determining (and defining) “the primary site” to avoid conflicts in interpretation and when more than one location may apply.  The “primary site” where the physician practices” is defined as “the office, facility or location where a majority of the revenue derived from the physician’s services is generated.”  The statute also includes additional restrictions for non-competes entered into, amended or renewed, after the effective date, between hospitals, health systems, medical school or medical foundations allowing these covenants to restrict the physician’s right to practice only with another such entity or foundation.

Also, these non-competes will be void and enforceable against a physician if: (1) the employment agreement was not made in anticipation or part of a partnership or ownership agreement and the agreement expires and is not renewed, unless, prior to the expiration, the employer makes a bona fide offer to renew the contract on same or similar terms and conditions; or (2) the employer terminates the employment or contractual relationship without cause.  It’s important for employers to note that if a non-compete drafted under the new law exceeds the scope of its provisions (both the long existing “reasonableness standard” and the new bright line rule defining the time and geographic limitation from the primary site); or if the physician’s employment or contractual relationship is terminated without cause, or the agreement expires, the non-compete will be utterly void and unenforceable.

Lastly, in order to prevail, a party seeking enforcement must prove: (1) the non-compete complies with the new statute in all respects; (2) that they have not violated its provisions; and (3) that actual damages were suffered.

With the important new requirements under this bill, effective July 1, 2016, we can’t stress enough the importance of reviewing existing physician non-competes before contracts are renewed and having counsel prepare or review non-competes for all new hires to ensure they meet the requirements of this new law.  We welcome inquires on how we can assist.

 

 

 

Asset Transfers, How You Hold “Title” Really Matters

canstockphoto15887355

Asset transfers are made for a wide range of legitimate business, estate planning and other reasons.   How assets are titled can make all the difference between effortless, prompt transfers or having costly and often uncertain results.  In the estate planning context, it’s important to get it right before you need it.  Sometimes forms designating beneficiaries (and perhaps forgotten) or how deeds or accounts were set up will completely override what’s stated in a Will or other testamentary documents.  Lifetime transfers of business and personal assets can also be done with far greater ease when assets are properly titled, not leaving the door open for more costly delays or other unpleasant surprises.

When attorneys talk about “titling” assets, we’re talking about who the “legal owner” is.  Married couples will often own real estate as joint tenants with rights of survivorship (JTWROS).  So when a spouse passes away, the title vests 100% to the surviving spouse with ownership passing immediately to the surviving spouse.  This applies to any property provided the property is property titled in “survivorship”.

Alternatively, property is sometimes acquired or owned as “tenants in common” (TIC).  When, for example, multiple family members or unrelated individuals own property acquired through an inheritance or for investment purposes with each holding some specified share of the property.  Property owned as TIC is freely divisible whereas property owned in survivorship is not.  If a TIC owner dies, their share will be transferred in accordance with their Will (or Trust or if owned by a business, as designated in the governing documents) to the named beneficiary.  (If there is no Will or the Will is invalid even bigger problems can arise under state intestacy laws).  Lifetime transfers of TIC properties can pose challenges for the owners who now hold title with who knows who – since interests are freely divisible (unless there is a first right of refusal retained by the other owners in a valid document).  Trusts (or other agreements) can also be utilized by individuals or businesses to provide more seamless transfers.

Property is sometimes held in a sole individual name.  Property owned solely or “individually” at the time of death is considered a “probate asset” requiring a court order to transfer the property; subject to a few of the exceptions if property is deeded though Trusts and properly recorded, etc.  After the death of a spouse, a surviving spouse, who owns the property in her sole name, may wish to create a trust or other testamentary instrument so that property will not require probating and pass directly to heirs.

Each of these types of ownership interests will have dramatically different results so how to hold title should be carefully considered.  When titled properly, real estate, bank accounts and other assets can pass immediately to co-owners, survivors and beneficiaries, after death, without the delay or the involvement of probate court.  In the estate planning context, it’s extremely important to keep in mind that how accounts are titled will override the provisions in a Will.  While there are a number of options, how to take title during lifetime ownership will depend on a variety of factors and there are instances where jointly owned accounts may not be advisable. Many people choose a transfer on death (“TOD”) designee (which works like naming a beneficiary in a Will) so the account will pass automatically to the named TOD designee unlike a joint account, which during lifetime could be accessed and completely drained by any of its owners. Joint accounts should be identified as (JTWROS) and, as noted, there are some precautions to point out as any one of the owners can access, withdraw and make decisions on the account – so care should be taken here.

Keeping in mind that named beneficiaries or TOD election will override any provisions in a Will to the contrary, it’s extremely important to keep up-to-date records of beneficiary designations and document how accounts were set up.  Too often bank records aren’t correct, documents are lost or people forget to update beneficiary designations.  Don’t rely on bank representatives or family members to advise you.  I’ve seen situations where misinformation was provided to clients or mistakes were made by bank representatives causing unnecessary, lengthy delays, because documents prepared long ago were not done correctly or how they were done was not understood.  This can cause assets being transferred in a ways an owner never intended.   It’s critically important to make sure there are no inconsistencies with your wishes and that documents are correctly prepared.  Otherwise, costly, unpleasant, unintended consequences can and do result. The beneficiary designation (again, properly done and documented) will prevail over any contrary provision in a Will care must be taken!  The assistance of qualified legal counsel is important to make sure these avoidable, unintended (and sometimes irreversible) consequences don’t occur.

Preparing documents that meet your needs and reviewing your documents every year or two (or whenever a major life change occurs) is a great way to have peace of mind and feel secure about your future.  Everyone regardless of age should have a Will.  Anyone who owns a business should have a  Business Succession Plan, as well as Will. Having these documents in place before they’re needed is critically important.  If something unplanned occurs, it may be too late. Many times clients believe this will be an overwhelming process and are often surprised by how easy we make this process by listening carefully and explaining options.  There is often a great sense of relief for accomplishing business succession, estate plans or just having a review or update done to confirm all is well. Regardless of age or circumstances, it’s important that documents be properly titled so they can accomplish important goals. There’s nothing worse than finding out documents you prepared sometime ago may completely override what you intended.

Don’t wait – Please contact us today for assistance in reviewing your documents and goals.

At Last – Some Good News for Powers of Attorney

Did you know – until recently there was no Connecticut law requiring banks or financial institutions to accept a Power of Attorney?  Those of you who do know – have likely seen first-hand the problems this caused. A new Connecticut law, at last, has come to the rescue.  (See notes below on Adoption of Connecticut Uniform Power of Attorney Act).  This blog highlights the benefits of the new law and reasons Powers of Attorney are rejected, sometimes for valid reasons, sometimes not:probate image canstockphoto13987862 (2)

Here’s the top 2 reasons Powers of Attorney are rejected: 

  • Drafting problems. Banks, financial institutions and others can and often do refuse to accept a Power of Attorney (POA), because it doesn’t state the specific authority for what the agent wants to do.  For instance, the agent appointed under the POA wants (often needs) to access a safe deposit box, but the document doesn’t specifically mention a safe deposit box.  Documents can be more carefully drafted to avoid these types of problems; and
  • Internal bank policies. Powers of Attorney also get rejected without any really legitimate reason other than “our policy is such and such…” and your document doesn’t meet their policy. While banks came under greater scrutiny since the 2008 Wall Street debacles (through laws like Sarbanes Oxley (SOX) and Gramm Leach Bliley (GLBA) and some of the policies they adopted were intended to protect consumers, all too often  POAs are rejected for reasons that boggle the mind.  In one instance I know of a bank rejecting a POA, because it was executed more than 6 months ago. A number of other larger, well-known banks have adopted polices requiring POAs be no more than 12 months old or they reject them.  Needless to say, this caused a lot of unnecessary turmoil.  In many instances a perfectly good POA is rejected, because of these types of these internal policies.

Yes, banks can and do get away with this – until very recently there was no state law requiring them to accept an otherwise perfectly validly POA. Some banks have even have gone so far as to require their own forms be signed – huh, how practical is this?  It doesn’t take a rocket scientist to understand how this completely defeats the entire purpose of having these forms prepared and in the hands of those appointed before they’re actually needed.  For anyone attempting to act on behalf of a principal in a time of need; especially when the principal is incapacitated or unavailable and the agent has important duties to perform this can be a nightmare. The result is often engaging legal counsel to fight the battle, creating a new POA (if the principal is available and competent) or as a last resort needing to go to probate court for a conservator to be appointed – more unnecessary expense and delay.

This new law is incredibly welcome news.  The law creates a presumption of validity for a person who accepts a POA if they believed in good faith it was validly executed. The law also limits the circumstances under which a POA can be rejected – for example, when the bank knows the POA was terminated or that it violates a state or federal law, perfectly legitimate reasons.  Also included in the new bill is a provision allowing the probate court to require the person who rejects a POA to accept it and can also award attorney’s fees and costs to the prevailing party – very welcome news!   (See sHB6774 for the full text of the bill – effective date October 15, 2015 was revised to be effective July 1, 2016).

If you want to avoid these costly, lengthy (often unnecessary) issues that frequently arise with some POA forms, we recommend carefully reviewing your current documents to make sure they still meet your needs with the assistance of a qualified attorney.  There are also some important new provisions in the new law that POAs should be updated to include. If you need assistance with this review, please contact me for a consultation.

(For readers of this blog unfamiliar with POAs – Powers of Attorney are created and used for a lot of different reasons, but the primary purpose is designating someone (called the agent) to legally make decisions or take actions on behalf of the principal.  The powers granted can be very limited or specific or they may be very broad.  In the estate planning context, powers of attorney are often durable, meaning they survive the incapacity of the principal.  Once incompetent, a person cannot enter into a new POA (or any contract for that matter.)

 

 

PRIVACY POLICIES REQUIRED

 

Think it doesn’t apply to you? Connecticut’s privacy law doesn’t just apply to the highly-regulated industries we’re accustomed to hearing about – like banking, healthcare, retail, publicly-traded companies and the government sector, who’re all regulated under a variety of strict, federal privacy and security laws. The Connecticut legislature (as well as many other states) saw fit to require anyone doing businesses in the state to safeguard personal information and requires that privacy policies be posted (See Conn. Gen. Stat.42-471). privacy policy picThis applies with the same force and effect to businesses both public and private. I can think of few, if any, businesses that don’t use, store, transmit or collect some type of “personal information” whether for payroll, offering health or other benefits, collecting social security numbers, conducting employment screenings, maintaining important customer and banking information – just to name a few of the areas covered by this law. Connecticut law requires more than just developing privacy policies – they must be publicly posted.

These privacy protections much like their federal counter-parts extend to any “personally identifying information” such a full name, social security number, address – essentially any information that either does or could reasonably lead to identifying someone. The definition of “personal information” under the Connecticut follows the definitions of other federal and state laws to include “information capable of identifying a particular individual by one or more identifiers – name, social security number, driver’s license, account numbers, photos, biometric information, health insurance information, credit or debit card numbers” and the like. Financial institutions that have complied with the privacy and security standards required under Gramm-Leach-Bailey (15 U.S.C. 6801) will be in compliance with this Connecticut law. Healthcare providers and business associates regulated under HIPAA/HITECH regulations (45 C.F.R. Sec. 160, et seq.) that have complied with the requirements of the 2013 Final Omnibus Rule will also likely avoid trouble.

To say the least, it’s a complex area. Depending upon the context and type of information collected, used or stored, businesses may also be required to comply with a variety of other privacy laws, in addition to this Connecticut law. While there are more than 30 federal laws governing privacy, and the list is growing, below is a summary of other, key federal laws that frequently apply to businesses (and their vendors) who are using, accessing, storing or transmitting “sensitive” information:

  1. HIPAA/HITECH covers past, present, or future physical, mental health conditions of a person;
  2. Financial information regulated under Gramm-Leach-Bliley Act (GLBA and FMSA);
  3. Credit card payments regulated under PCI-DSS industry standards;
  4. Computer Fraud and Abuse Act (CFAA) ;
  5. Children’s Online Privacy and Protection (COPP);
  6. Fair Trade Communications Act – FTC Privacy; and
  7. Electronic Communications Privacy Act (ECPA) regulating computer crimes.

With cyber hacking and data breach incidents rising throughout the healthcare, retail, banking and government sectors, Connecticut employers and businesses, who haven’t taken steps to evaluate the regulated information they use or possess along with developing written privacy and security policies to keep “personal information” safe from misuse – are making a high stakes gamble. Many of us who regularly work in this area know it’s really not a question of if – it’s a question of when information that wasn’t adequately protected may fall prey. Why chance what will be costly, embarrassing event?  Developing, implementing and posting privacy policies is a must.

Where do you start? For many companies, compliance with this Connecticut law (and other state and federal laws) can be accomplished by conducting security assessments, training employees on the importance of protecting data, developing and enforcing security policies – and most importantly posting these privacy policies. In the past year, dozens of bills have been introduced to protect consumers from the real and increasing threats of identity theft and fraud. And more are likely to follow. Those not in compliance with the important intent of this law – to safeguard personal information – face the real and ever present risk of harm to innocent victims, significant regulatory fines or worse. Why chance it. Call us today for practical guidance on avoiding these risks.

With over a decade of experience as Legal Counsel & Chief Compliance Officer to a variety of highly-regulated industry clients, our firm has the dedication and experience to help clients assess security vulnerabilities, train employees and develop the all important privacy and security policies needed in today’s Internet of Things world.

Please contact us today for more information. Let us know if you’d like a speaker on these important topics at your next business event.

 

 

 

 

 

 

Intellectual Property (IP) Rights – My Top 5 Tips for Protecting Your “Secret Sauce”

Intellectual property (IP) can be a complex topic and covers a lot of concepts – and it’s not just registered patents, copyrights and trademarks that need protection. Too often businesses don’t take a few preliminary steps to adequately protect important “trade secrets” and other intellectual property rights.

canstockphoto28923602 IPHere’s my top five for protecting ideas and avoiding costly problems:

1. Get a Confidentiality-Non-Disclosure Agreement (NDA) signed before you share anything. A signed NDA with all players should always be the first step in a prospective new business relationship. No business should share information with another entity or individual involving confidential or proprietary business information, methods, ideas (registered or not), formulas, trade secrets, know-how, technology, personnel and employee information, pricing formulas, sales or marketing information without the benefit of an NDA in place. Start our right – invest in a well-written NDA.

2. If go forward with a business relationship, be sure to include adequate protections and remedies against misuse of any confidential, proprietary information or IP rights, including provisions for recovery of damages, attorney’s fees and injunctions in all your contracts.

3. Employees, Vendors and NDAs. In many situations signing an NDA during the pre-hiring or hiring process is an extremely good idea if employees (sub-contractors or other vendors) may have access to confidential information. If employees, vendors or others will be directly or indirectly involved in developing any intellectual property, additional agreements relinquishing rights to ideas or processes developed will go a long way to avoiding costly disputes.

4. Don’t rely on your incorporation to protect your trade-name. And do an adequate search first. Companies often go to great lengths to distinguish themselves from competitors with identifying logos and marks. The last thing a business needs is to spend the resources, financial and otherwise, to develop something close to or directly infringing on another company’s marks – only to have them shut you down by successfully prosecuting an infringement claim. When searching online state, federal and international registries, it’s really important to keep in mind that these registries are just that – registries only that do not include any common law or “unregistered” marks that may be in use by others. A search should be broad enough to cover registered and unregistered marks. A properly registered mark puts the world on notice that the mark is protected and who the rightful owner is. There are a surprising number of businesses that have never registered their marks – many are older or smaller businesses. And while they do enjoy “common law” protection for what they’re using, proving ownership in the absence of a registration is, frankly, very expensive. If the common law owner prevails (and they often do) would you be prepared to start all over and continue the business with an entirely new logo and marketing plan? Register your trademarks and logos to protect your assets. Do a search before using any logos, trade names, trademarks or service marks so you don’t invite problems.

5. Be vigilant in protecting what’s yours. There are very few businesses without IP rights to protect. For those with registered patents, copyrights and trademark, keep an up-to-date inventory with all expiration dates and actively “monitor” whether others may be infringing. For those without formal registration protections, the same lesson holds true. It’s critically important to inventory and monitor what’s yours. Safeguard your valuable ideas – infringement claims are costly. Don’t make it easy for others to steal your ideas. Registering and monitoring marks is a smart move.

 

The LOI (Letter of Intent) is Binding – Really?

The Delaware Supreme Court thought so – even though most attorneys and business people, who regularly draft these documents know they’re always meant to be a non-binding expression of the major deal points to see if it makes sense to move forward with a deal and definitive, binding agreement. LOIs almost always state that they’re non-binding and courts in most jurisdictions seem to agree.

canstockphoto28784962

So what happened in the Delaware case SIGA Tech Inc. v PharmAthene, Inc. No 314, 2012, 67 A 3d 330 where the LOI was found binding is worth a close look. The parties in this case first entered into a non-binding licensing agreement term sheet (LATS) for a potential licensing deal, but PharmA insisted they explore a merger first. The parties then executed a Merger Agreement, which provided if the merger didn’t close by a certain date the parties would “negotiate in good faith with the intention of executing a definitive licensing agreement in accordance with the terms of the LATS”. The merger failed to close by the deadline. In a fortuitous turn of events for SIGA (but not so fortuitous in light of the high court’s later ruling), National Institutes of Health (NIH) agreed to provide significant funding for a new drug bumping the original valuation from $6mm to $40mm. SIGA refused to go forward with terms it earlier said were acceptable and PharmA, in turn, objected stating the terms were “radically different” from the LATS. SIGA then issued an ultimatum that PharmA negotiate “without any preconditions”. The lawsuit followed.

Even thought the LOI stated it was “non-binding” (most do to avoid potential claims and typically only state the major deal terms), the court found the language in the earlier License Agreement Term Sheet (LATS) incorporated into the merger agreement requiring negotiations “in good faith” compelling. The Delaware Supreme Court upheld the lower trial court’s decision that SIGA acted in bad faith. The Supreme Court went even further finding PharmA could recover “benefit of the bargain damages” (the value of the licensing agreement that would have been entered into but for bad faith) holding the parties were obligated to negotiate toward a license agreement on terms substantially similar if the merger wasn’t consummated. Great result for PharmA, not so much for SIGA.

The moral of the story? Draft carefully and include the most beneficial governing law provisions. LOIs have always been drafted and understood to be a non-binding first step to determine if parties want to move forward with a deal and definitive, binding agreement. What’s in the LOI and peripheral documents (here express good faith language or some other language a court may find binding and compelling enough to award damages) – must be carefully considered. Whether courts outside of Delaware may follow suit and what governing law provisions to include in the LOI must also be carefully considered.