“FORCE MAJEURE” CLAUSES – THE PANDEMIC HIGHLIGHTS ITS CRITICAL IMPORTANCE

What is it and why’s it so important?

Force majeure literally means “superior force”.  This term is derived from French law and refers to an event or effect that cannot be reasonably anticipated or controlled.  When used correctly, a force majeure clause in a commercial contract can provide a party (or both parties) with a legal defense to not performing their contractual obligations (or suspending performance until a later time).  

The current pandemic has brought to the forefront of business leaders throughout the country and throughout the globe, with businesses forced to close and supply chains interrupted, the critical importance of limiting serious consequences of situations like the current governmental shut-downs across the globe. All of which are literally beyond their control.  Whenever there’s been wide-spread commercial loss or business interruption, such as Sept. 11th, the devastation caused by Hurricane Katrina and now with the entire world facing a global pandemic having the right tools at your disposal is critical to every business’ survival.

What’s in a force majeure clause (or not) is very important.  Many of these clauses will define the events the parties agree fall under the “umbrella” of a force majeure event allowing a party to completely terminate performance, cancel a contract or suspend performance to a later time.  Uncontrollable events such as wars, labor stoppages, extreme weather, including hurricanes, tornadoes, volcanic eruptions, often referred to “Acts of God”, condemnations or similar governmental declarations such as states of emergency making performance impossible are among events commonly included in force majeure provisions.  Most commercial contracts contain these important provisions (all contracts should) but sometimes these provisions are too general or so specific they can cause parties wishing to enforce them with unnecessary problems, or in some instances this important provision is completely overlooked and not included in the contract.

When these provisions have been carefully drafted, it can maximize the protections afforded parties, in effect, legally excusing a party’s performance due to unexpected events beyond that party’s control.  (I point out that these provisions do not apply when a party has been negligent or lacked good faith in performing its commercial obligations – meaning what a party has the capacity to perform it’s required to perform (within the bounds of “commercially reasonable” is often the test) and when performance has been made impossible (or is not commercially reasonable causing a party exorbitant additional costs for example) due to elements beyond its control – what’s in the contract, the specific contract language, becomes critically important. If the provision is too general or does not include certain “events”, it could pose a big stumbling blocks for the parties down the road facing an issue such as the current pandemic.  Whether a party would be successful in utilizing such a clause depends on several things, starting with the specific language in the contract, and then the applicable law – what governing law applies to the contract, what are the specifics of the contract deliverables, etc.?  Business insurance due to business interruption may be also be an available resource, but depends on what’s covered or excluded from the policies – review policy provisions with care.

There are also several other potential remedies a party may be able to utilize in current contracts that have limited or no force majeure provision, when performance is impossible due to circumstances beyond their control.  In some instances, a party may have other relief available under the U.C.C. (Uniform Commercial Code), international codes of conduct, or other laws, to the extent those laws may apply to the particular transaction.  Our firm has had a high rate of success over the past few months terminating contracts or suspending contract performance through our negotiations resulting in clients receiving back deposits paid on commercial real estate development deals, re-negotiating lease terms and successfully revising or terminating other commercial contracts. 

Parties to commercial contracts will always be best served by customizing these critically-important force majeure clauses (as well as the other critical contract provisions) to reflect the risks, circumstances and specifics of the business transaction and specific industries involved.  We’re encouraging all businesses to review, and update, with the assistance of experienced business counsel, all currently-used standard commercial contracts, as well as more complex, customized commercial contracts to ensure the best possible protections and outcomes can be achieved in all on-going ventures and new contracts.  

We welcome your inquires on how we can assist.

CORONA-VIRUS (COVID-19) SCAMS ARE ESCALATING

Email phishing scams and social engineering are significantly rising!  With many Americans now working remotely from home and with the stress of the current situation being felt in many homes and communities across the nation, cyber-criminals are busy showing their inventiveness and creativity for using the current pandemic for their gain. 

In recent days, the FBI, OCR, U.S. Secret Service, the defense department and other officials have posted alerts warning of the significant spike in scams related to the current pandemic. 

Three of the most common recent scams to be on the lookout for:

  1. Fake WHO emails. Recent phishing emails from cyber-criminals posing as the WHO (World Health Organization), CDC (Center for Disease Control) and other local or state health agencies with “news” that may seem important.  These FAKE emails contain malicious links tempting you to click, don’t.  Some are very “legitimate” looking, as nation-state and other well-heeled hackers have gotten quite sophisticated.  In recent days, many IT security experts and chief legal and data security officers, like myself, have been commenting on how “good” (how “real”) some of these recent phishing emails look.  If you get something in your inbox that looks like it’s from WHO, CDC or any other regulatory agencies, don’t open it.  If it’s a work email, contact your employer first.  They may advise you to delete it or capture a screen shot so they can warn other workforce members.  If you’re working remotely, take extra caution opening emails from anyone not known to you or external sources. These “spoofers” have gotten so good at it that it may seem it’s internally generated from your employer or a co-worker or a governmental entity.  For many years, healthcare workers, hospitals, defense industry and other industries have been hackers’ favorite targets. But the reach of these recent attacks go far beyond and is unprecedented. Every home, business and industry needs to be more vigilant. These emails are often very convincing looking as if they come from legitimate governmental organizations, or are internally generated by a corporate employer, they’re not. 

One wrong click could take down an entire network or pose other significant financial, corporate or personal losses. 

2. Robo calls, texts and emails offering to sell you a virus test kits or offering cures for a fee.  Most consumers know that virus testing is only available at certain healthcare sites in the U.S., and not available like this online.  Many also know there is currently no vaccine or known cure. But, that unfortunately, that doesn’t stop the cyber-criminals, who will use many different ploys like this to prey on the hopes and fears of some in the community. Hackers are too often successful in getting vulnerable individuals and communities, or just someone not paying attention, to click a link, a malicious link. Then it’s too late.  The results can be devastating from risking fraudulent charges to bank account information being compromised, identity theft, medical fraud, loss of corporate intellectual property and worse.  It’s critically important to be vigilant right now and check-in with neighbors, friends, co-workers and family members, who may be more vulnerable to these types of tactics threatening their personal and financial well-being.  And it’s critical for companies with remote workers to quickly take extra steps to ensure their workforce is aware of some of the newest tactics, and ever-present threats.

3. Emails or calls from cyber-criminals purporting to be from local or federal health organizations warning you that someone in your community has tested positive for the virus, seeking your personal information that they would then quickly sell on the dark web, posing potentially significant privacy and financial risks.

The best way to avoid these scams is to always go directly to an official governmental website such as CDC, WHO, or other federal, state or local governmental agencies for any important updates.  And question everything before clicking or offering any information. Regulatory agencies will not contact you in this way.  And always use known, reliable news sources for keeping yourself up to date on important information affecting you and your community.  Whenever you receive an email, phone call or text, requesting any personal, business, health or financial information, don’t click, don’t respond.  If you receive something through your work or personal email, take the extra few seconds, stop, don’t click.   First verify whether it’s from an internal, legitimate company source or go the official, external source directly to obtain information.  Anything related to the current pandemic is fair game for these hackers, anything ranging from airline ticket refunds, testing kits and vaccines to the economic stimulus package are other areas where clever spammers are likely to go next.

During these challenging, unprecedented times, we wish all of our clients, friends and colleagues, continued health, safety and well-being.  By working together, we shall overcome.

_____________________________________________________________________________

Please be advised, our law firm is remote capable at all times.  We will continue to work remotely to serve our clients during the current situation.  To protect our support staff, clients and the community, we’re following CDC guidelines and are prepared to respond to any requests whether related to this topic or the other legal needs via email to tegan@teganblackburn.com, phone 860-651-9500 or remote video-conferencing.  

______________________________________________________________________________

If you or someone you know may have been a victim, there are several resources available:  National Center for Disaster Fraud hotline 866-720-5721; email disaster@leo.gov or report it to the FBI tip line at fbi.gov.

An All Too Common Story, About How Not To Do A Succession Plan

I had coffee with a friend recently. He does commercial real estate appraisals, usually on large factories and office buildings all across New England. He told me this story about an appraisal he had just completed, he knew it would interest me.

It was a typical river town, like so many scattered throughout New England. Once a center of manufacturing and prosperity, now sports a tired downtown and magnificent, but abandoned brick mills crowding the banks of a river. Even the river has seen better days.

Once booming, it was all downhill from the 1920s – the advent of air-conditioning and rise of cheap labor in the South quickly stripped away businesses that had been thriving since the Civil War. The final nails in the manufacturing coffin was the Great New England Hurricane of 1938 and devastating floods in the mid-1950s.

By the 1970s this particular town was almost boarded up. The town is miles from a city, there were no jobs in town, it was too far to commute. Enter two brothers. They could be twins – they’re both tall, thin, avuncular, with many laugh lines – though they are three years apart in age.

In the mid-1970s they bought – at bargain rates – a long stretch of property on the river. They knocked down the ruins that were there and built a modern, 110,000 square foot wire manufacturing plant. People not only thought they were crazy, they had no problem telling the brothers that to their faces.

But, the business took off, in short order became the largest employer in the area since the Depression Era. A bit of an awakening of Main Street followed, particularly restaurants and bars.

In the mid-80s the brothers expanded. This time with the blessing and full support of the town. The town gave them property on the opposite bank of the river where the brothers built an almost identical plant. The town voluntarily floated tax abatements, widened the roads for them, did everything they could to insure the brothers were comfortable and unimpeded by bureaucracy.

The company flourished and our small New England town stayed alive. There were improvements and additions and more employees and more concessions voluntarily granted by the town. Some of the boarded-up Victorians lining the hill above town were renovated, the old movie theater reopened.

By 2010 or so, it looked like another expansion was in order, the brothers hired consultants to look for properties, held talks with the town, settled on a plant design, began training employees.

Then, one bright sunny day not too long ago, the younger brother was late for work, a rare occurrence. When he finally showed up hours into the day, he went straight to his brother’s office and told him he was done. Over. Wanted out. Now.

He had had it. He demanded to be bought out for the exact amount, down to the penny, of what half the business, property, contracts, company trucks and cars, goodwill were worth. His attorney would be in contact later in the day.

And that was it. No warning, no explanation, just a demand for his money. Indeed, no explanations were ever offered.

It goes without saying the first casualty was the expansion plans, by then in the late stages of development. It soon became apparent that the only way to pay the brother half the value of the company might involve some things he’d never considered, quickly trying to find a partner he’d be able to work with to purchase his brother’s interests, major lay-offs, selling off some assets, or maybe something he’d never contemplated and couldn’t quite wrap his head around, selling the entire business and getting out altogether.  After all his years of hard work building a successful business.  Not if he could help it.  Not the desired result.  And now, he’d have to hire counsel and devote a lot of time, attention and money to this latest, unexpected development, trying to find a solution in the middle of this.

There are, as one can imagine, a million issues that arose with every step they took.

All too often, new businesses (and more seasoned businesses alike) tend to put off important topics like succession planning for another day, especially as business is humming along, but in life, as in business, unexpected things happen.

The best time to plan for the future, and have smooth transactions for preserving wealth, is at the start of the venture, not in the middle of a crisis.   And the companies with good exit plans and buy-out strategies in place for before they need one is what often distinguishes the successful long-term ventures from the others.

The problem here is simple and widespread – the partners had never discussed anything beyond the day-to-day of running the business. Now, the entire financial future of both brothers is uncertain and an entire town quakes while it awaits what one of the brothers set in motion.

It’s National Cybersecurity Awareness Month

Ransomware.  Email phishing.  These are among today’s top cybersecurity threats.  Recognized every October, National Cybersecurity Awareness Month began as a collaborative effort between government and private industry groups to spread the word, about some simple steps, to protect yourself from these insidious online threats.

Malware, ransomware and online fraud have been dramatically increasing.

Cyber threats affect everyone, from individuals and private businesses to public-sector organizations and critical service providers like your local utility company and hospital.  It’s not just large organizations and the highly-publicized data breaches we keep hearing about in the news, like the major Anthem, Equifax, Yahoo and Facebook breaches. Every time you’re online, there’s a threat of being victimized, sometimes by human bad actors, sometimes by non-humans or bots, sometimes because somebody just wasn’t paying attention and opened something bad.  The single biggest cause of data breach is because someone opened something they shouldn’t have.  Online threats are real and everywhere. And there are a few steps you can take to avoid the most common pitfalls.

Right now, the laws surrounding cybersecurity, privacy and breach notification here in the U.S. exist on a very patch-work basis across the states, some have more detailed and stringent laws than others.  And at the federal level, cybersecurity and data protection have largely been industry-specific regulations, with no single federal data protection law like the General Data Protection Regulation (GDPR) enacted a few months ago in the European Union.  California and New York have also recently enacted strong data protection regulations and more states are likely to follow suit. There’s no perfect answer to whether new cybersecurity laws here or abroad will put meaningfully limits the growing number of cyberattacks.  But regardless of what legal or technical developments do, or don’t occur, individuals and businesses alike can, and need to, protect themselves from these growing online threats. And if the worst was to happen, it’s important to be prepared to recover from a cyberattack, as quickly and cost-effectively as possible.

Now, more than ever, it’s critical to STOP and THINK, before you CLICK.

The biggest online threats over the past few years continue to be email compromise (typically through phishing attacks) and ransomware attacks.   Not only has the number of attacks increased this past year, so has the sophistication of both human and non-human actors, with large-scale phishing attacks available at extremely low cost and ransomware available as a service (Raas), the FBI reporting over 300,000 complaints to its cybercrimes unit this year alone, totaling over $800 million in losses.  Congress also reported over 300 billion of losses nationally due to cyber theft just this past year.  More than ever, every U.S business and individual with internet access needs to know what you can do to avoid these growing online threats.

Anyone can be a victim of online crime with devastating personal, financial or commercial consequences, from identity theft to stolen personal, health or other confidential information, disruption (and in some instances locking-down) computers or entire network infrastructures.  In some instances, requiring expensive breach notifications with business reputations at stake, the single biggest cause of cyberattack is because someone clicked something they shouldn’t have.

While this blog isn’t intended as a definitive answer-all to cybersecurity, there are a few common-sense rules every internet user should keep in mind to avoid the most common pitfalls when online.  Take a minute before you open it. Keep security programs and patches up to date. Use encryption, secure password logons and phrases and multi-factor authorization, whenever possible, and change them regularly.  Public or shared Wi-Fi should be avoided.  For businesses, training everyone in your organization on best practices to protect the privacy and security of your network and customers is not only a great idea, many times it’s a regulatory mandate. Most of these problems occur because of a poor understanding of how computers work or good computer hygiene, not understanding how attacks occur, not knowing or understanding the ethical or regulatory rules, visiting a site that’s infected or opening a link that well, was probably obvious, but someone hadn’t taken a moment to stop and question the source, before opening. All too often, if someone had taken a moment to stop and think, before clicking, the problem could have been avoided.

Email phishing and ransomware attacks have become increasing pervasive problems in many industries with healthcare, technology, financial and government sector organizations among hackers’ favorites.  But individuals and small businesses have also increasingly been targeted by ransomware, resulting in a computer being “locked” until the “ransom” is paid.  And there’s no guarantee the data will even be there or be uncorrupted, if you do pay the ransom. The FBI recommends not paying the ransom to deter crime.

What would you do if you were hit with ransomware?  It’s important to know the answer, and what your legal and ethical obligations are if you have regulated personal, health or other confidential information on your system or devise.  (Please visit our earlier Blog, “You’ve Been Hit with Ransomware, Now What? And Do You Have a Duty to Report?) So, whether you’re a small business owner, a large, highly-regulated organization or an individual using a home computer, there’s a lot you can, and should do, to help avoid these costly, pervasive problems.

Recognizing the problem is the most important part of fighting the problem.  So, before you open it, STOP & THINK, before you CLICK.   Many of these problems can be avoided.

__________________________________________________________________________

This blog is not and is not intended as legal advice.  The information provided is a general overview of the topic only and an attorney should be consulted for advice on any specific issues.

The author is legal counsel and chief data protection officer to a number of highly-regulated industry clients and frequently writes and speaks on privacy and data security issues.

If you’d like more information on this topic and what you can do to avoid these ever-growing online threats, we’d be glad to help you design and implement a privacy and information security awareness program at your organization.

 

GDPR: What Businesses (and Consumers) Need to Know:

The European Union’s sweeping new privacy regulation General Data Protection Regulation (GDPR) just went into effect, May 25, 2018.

Considered by many to be the most important development in data privacy in decades, GDPR heightens and standardizes data protection requirements across all EU member states applying to anyone doing business in the EU involving using or sharing personal data of any EU resident.  This new law has been several years in the making and provides far-stricter rules on protecting personal information (PI and PII) than any of its American counterparts such as HIPAA, GLB, SOX or other U.S. data protection laws that typically regulate “industry specific data” such as patient information or financial data rather than one very broad law applying to all residents.

While this new law doesn’t “technically” regulate activities with U.S. consumers, everyone in the U.S. is expected to benefit from these sweeping new regulations imposed on global providers such as Facebook, Google, Twitter and many other, well-known and lesser-known businesses that use, access or share personal data of anyone residing in one of the EU’s 28-member states – that covers a whole lot of businesses and business activities here and abroad.  Many of these types of more comprehensive data protection laws have been circulating around D.C. for years without adoption and a number of U.S. states have taken the initiative to enact tougher privacy, security and data breach notification laws than some of their federal counterparts. This new E.U. law is expected to provide better data protection and transparency across the globe.

As a result of this new law, decision-makers, C-suites and board of directors across America and the globe have been evaluating and putting into place required new privacy policies for better security, transparency and accountability, including provisions allowing consumers to choose how their personal information is or is not used or shared.   We’ve all been seeing our inboxes filling up lately with notices from all the big providers like Google, Facebook, Twitter and others with a global presence updating their privacy policies.   This isn’t due to the big Facebook Cambridge Analytica debacle, them trying to save face or generate goodwill –  for them it’s required by GDPR and the recent Facebook situation certainly highlighted the need for change.

Any businesses with strict, robust HIPAA compliance programs protecting regulated patient data (or similar compliance programs) already in place will be steps ahead of their counterparts in meeting the sweeping, new compliance requirements for any EU activities.  In the area of data security and compliance it’s always a pay-now or pay-later situation.

Businesses that haven’t yet fully-complied with data protection requirements risk significant consequences.  For those of us who work in their field, we know and often say “It’s not a question of IF – It’s a question of WHEN” a data security incident or comprise may occur – even for those who have fully-complied with data protection laws.  And it’s critically important for businesses to meet all the requirements, not skip steps, or delay completing the requirements, as non-compliance or partial compliance is what gets most into trouble.  There are just too many bad things out there on the Internet with new variants popping up every day for anyone think they can’t be compromised.  And the consequences of non-compliance with this new EU law are significant – far more significant than their U.S. counterparts – allowing regulators to impose fines of 4% of worldwide revenue, or 20 million dollars, whichever is greater, unlike the now more reasonable-seeming penalties for non-compliance under HIPAA, which depending upon culpability, are up to 1.5 million, per violation.

A few other important, distinguishing features of this new law, include the obligation to appoint a Data Protection Officer, who must be an expert in knowledge of data protection law.  HIPAA and other similar U.S. regulations have similar concepts requiring the appointment of compliance officers to ensure compliance and security. The new EU law also specifically allows affected individuals to make claims directly against providers, which is not the case under many U.S. federal regulations.  An extremely important difference in this EU law is also the far-stricter breach notification standards of 72 hours, as opposed to the general concept under many U.S. laws requiring breach notification within a “reasonable time” often interpreted to mean 30-60 days depending upon the situation and jurisdiction and varies widely state to state.

Data protection is one of the single, most urgent challenges facing businesses here and across the globe.  According to a recent report by Reuters, many U.S. businesses are still struggling to understand the implications of their data privacy and protection obligations.  This isn’t necessary and it’s not difficult, it just requires the time and commitment to understand the rules and put the right resources in place.  Those who don’t protect customer data sufficiently will not only jeopardize their reputations, these high levels of fines are designed to send a message, a strong message, some businesses will not survive.  Those who aren’t get up to speed with implementing the requirements of GDPR, or who fail to fully-comply with other data protection laws here in the U.S., will learn pretty quickly the true costs and consequences of putting it off for another day.

The most effective strategy for protecting personal information and combating cyberattack is understanding the rules that apply to your organization, and then implementing and enforcing the required policies and procedures.  The bad guys are just one untrained, gullible user away from a full-on, all-out intrusion.  And these laws aren’t really as much about technology as how the technology is used and require adequate, additional protections to be in place – physical, administrative and organization-wide, in addition to sufficient technology safeguards.

Many U.S. data protection regulations, such as HIPAA, have other, additional important requirements like security awareness training for all workforce members, as failing to train employees and test their understanding and knowledge of vulnerabilities and threats is cited as the single biggest factor in most, successful data intrusions.  Hospitals, banks and other highly-regulated business are among favorites for hackers for their treasure troves of valuable PII and PHI – so any business entity using, storing, transmitting or using this type of highly-protected information needs to take the All the required actions – and take them seriously, as penalties for skipping steps are costly and often lead to problems.  Costly, completely avoidable problems.

For American businesses, this is an excellent opportunity to evaluate what’s needed to protect yourself and your customers and stay a step or two ahead of the bad guys.  Consumers around the globe are expected to benefit from GDPR.  And many more comprehensive data protection laws should be forthcoming here and abroad.  All businesses large and small, have the obligation to protect personal data and must take adequate steps.  There’s too much at stake. One wrong click is all it takes.

______________________________________________________________________

Disclaimer.   While Attorney Tegan Blackburn frequently acts as counsel and compliance officer to a number of highly-regulated entities, this article is intended to provide a broad-overview of the topic only, is not legal advice and is not a replacement for advice from qualified legal counsel.  ______________________________________________________________________

All Rights Reserved.  Tegan Blackburn LLC ©

 

 

Think you have a legitimate claim? Why proving damages is essential.

In the business world (and elsewhere), disputes happen all the time and for a wide variety of reasons.

Somebody did somebody wrong, and in the commercial contracting world, that means somebody needs to pay.

But, first things, first.  Are contract terms clear and unambiguous? If so, you’re off to a good start.  But all too often, contract terms aren’t as clearly spelled out as they should be – leaving the door open to one or more of the parties having different views of what the contract requires.  This always spells trouble.

Let’s assume you’ve got a binding, enforceable contract (sometimes this is also disputed) and can establish the other party failed to perform their obligations. You’ve made it past the first big hurdles, but then you’ve got to prove what’s often the most important and difficult part of your case  –  what damages resulted from the breach?

Proving damages is essential otherwise you could walk away the “winner” without having much to show for it –  this is true whether the case proceeds to trial or might be resolved in earlier settlement stages. Either way, not a good result. Without convincing, legally-admissible evidence of damages, getting a good result isn’t likely; and if settlement negotiations fail and the matter proceeds to court without sufficient evidence of damages, there won’t be a good result there either.  The party who “wins” the case is never the one who’s pounding the table the loudest, it’s always the one who’s best prepared with legally-admissible evidence demonstrating all the important aspects of the case –  showing there’s a valid contract, how it was breached and how the non-breaching party was commercially harmed.

After clearing the first big hurdles, you’ve established a clear, enforceable contract and how the other party breached, now comes the hardest part, proving damages, but, of course, the devil is always in the details.

Only after all these elements are met is a party likely to be awarded damages. Proving the damages component of any case is often the most important and difficult part of the case.   It might be easy enough to show the other party is the bad guy who breached the contract, but without sufficient reliable evidence showing the damages resulting from the breach, a party might just be the prevailing party “winner in the case”, but not be awarded much. And in most commercial contracts there’s a “prevailing party” provision so the winner can also be awarded their attorney’s fees and costs.  A little extra incentive to win, but counter-claims are often raised and there isn’t always a clear winner.  The discovery phases of cases and testimony from parties can also raise other tricky issues.  And in any formal court proceeding, one thing is certain, it’s going to be long, expensive road to an uncertain result.

Good results come from good preparation.  When disputes arise, parties shouldn’t delay contacting legal counsel, who can evaluate claims before long, expensive, contentious proceedings are instituted.   The likelihood of recovering damages and what’s required to prove the case  must be carefully considered; and then decisions made on the best way to proceed whether through settlement negotiations, mediation or other alternative dispute resolution avenues before lawsuits are filed.  Evidence and potential testimony proving the case must be gathered and evaluated – what’s required to prove damages means no speculative or convoluted damages theories, or hearsay, or subjective opinions or guesses, just the plain, hard facts, admissible evidence showing the damages resulting from the breach.

The best contracts clearly spell out all the performance terms, including the all-important who’s required to do what, payment terms, what constitutes a default, how a party might cure a default –  along with a lot of other important considerations such as additional damages or remedies a party may be entitled to.  Just as importantly, in these situations is that attorneys can often use well-drafted contracts to bolster their client’s position negotiating settlements, often without instituting legal proceedings.

One of the biggest things that gets parties in trouble is “borrowing” provisions from other contracts they’ve used or found online covering only the most basic contract provisions or terms that aren’t really relevant to the transaction.  Some of these “form contracts” may sound “legalistically good” to an inexperienced business person.  But, all too often in these situations, important provisions are completely left out or are so poorly drafted leaving the door open to a lot of contentious back and forth on what the provisions mean after the contract’s signed.  And most commercial transactions have their own blend of unique, important issues that must be carefully considered.

Whether the stakes are high or not, a well-qualified attorney should be called on (preferably before signing on the dotted line) not only for their legal expertise, but also for the practical experience handling the kind of issues involved to advise clients on the best way to proceed when issues arise, including how likely they are to recover damages.  I often tell my clients the best contract is the one they’ll never need to call me on after they’ve signed it, because it’s well drafted and the parties fully performed.  But things happen, and if problems develop, the starting point is the contract terms.  When contracts are well drafted, there’s a lot less fighting over what something meant.  When provisions are thoughtfully negotiated and drafted, it makes reaching a fast, effective resolution far more likely (and at far lower cost than the more traditional “fight it out in court” approach) where only one person wearing the black robe will decide the outcome.

Good results come from good preparation and clear contracts.  And when disputes arise, we work quickly gathering the best evidence for negotiating fast, effective results; and in many instances formal legal proceedings can be completely avoided – often because the contract’s clear and the evidence trail is good enough and substantial enough to prove our client’s point.

 

Inc. or LLC? New Limited Liability Company Act a Good Choice For Many

Important changes to Connecticut’s Limited Liability Act highlighted in our blog today.  (This new law, effective July 1, 2017, adopts many provisions of the Uniform Limited Liability Act followed in other states and received strong support from the American and Connecticut Bar Associations.)   This new law provides additional flexibility and clarity to business owners and managers and may be the ideal business structure for many doing business here in Connecticut.

The efforts behind the new act were a desire for Connecticut to become more “business friendly” and encourage more businesses form their LLCs here and remain in Connecticut. This new Act provides LLCs with greater flexibility to customize their Operating Agreements (the key governing document) to fit their circumstances.  It also provides greater clarity for attorneys drafting these agreements and for courts interpreting provisions when there’s a dispute. Among a major change for small business are clearer default rules for those without written operating agreements. This is always important topic when counseling our new business clients to understand all statutory requirements must be met. Otherwise businesses run the risk of claims against their personal assets!

The Act itself is rather lengthy, but new, major provisions include:

  1. More detail about fiduciary duties and charging orders against Members in debt collection;
  2. Changes when a Member (owner) can bind the LLC as an agent;
  3. New provisions on derivative actions by a Member;
  4. Changes rules regarding mergers between Connecticut LLCs, including mergers with foreign LLCs, and adds provisions governing interest exchanges. The new Act’s requirements for the plan of merger are similar to those in current law.
  5. Terminology changes from “Article of Organization” to “Certificate of Organization.”
  6. Allows far more flexibility in drafting Operating Agreements, but may not, as one would expect, authorize any unlawful or bad faith conduct.
  7. Members are no longer agents of an LLC solely because they are a member.
  8. Changes the provisions of the former Act providing that a member or other person entitled to a distribution becomes a creditor. Under the new Act, the LLC’s obligation to make a distribution can be offset by amounts the recipient owes the LLC.
  9. Requires unanimous member approval for amendments to the Certificate of Organization or Operating Agreement and expands to super majority voting requirements approval for any act outside the LLC’s ordinary course of activities. The Act also allows members to vote without a meeting and members may appoint a proxy or agent.
  10. A duty to reimburse a member or a manager for any payment made by the member or manager in the course of doing business on behalf of the LLC, if the member or manager complied with the Act’s provisions on voting and duty of loyalty. Similarly, the Act allows an LLC to indemnify and hold harmless someone for acting as a member or manager as long as liability is not based on breaching duties regarding distributions, voting, or the duty of care or loyalty to the LLC. It extends these provisions to officers. The Act requires an LLC to indemnify a person who was successful in defending LLC in a proceeding with respect to a claim or demand based on the person’s capacity as a member, manager, or officer.

______________________________________________________________________________

Connecticut is now the 14th state to enact the most recent version of the Uniform Act is expected to give some better clarity to businesses in running their day to day operations and more consistency for courts in interpreting the Act’s provisions,  As far is reaching the desired result for a friendlier business environment for Connecticut, the jury’s still out.  Following the statutory rules, so companies can enjoy the protections LLCs provide, of course, remains critically important. 

________________________________________________________________________

For over 2 decades, our firm has focused on advising both more sophisticated nationally-based businesses, as well as smaller, local start-up companies, assisting clients with a wide range legal matters such as guidance on forming LLCs and corporations, resolving contract and other business disputes, business combinations, mergers, acquisitions, compliance issues such as responding to regulatory inquires, data breaches and many of the other issues arising in today’s increasingly complex business world.

________________________________________________________________________________

We recommend new businesses consider LLCs for the flexibility and increased clarity available under the new law; and that existing LLC governing documents be reviewed, by well-qualified business counsel.  We welcome your inquiries on how we can help with this or other general business law topics.

 

 

 

 

 

 

CONNECTICUT STATE CONTRACTORS – NEW DATA BREACH LAW

Our blog this month highlights some important changes to Connecticut’s data breach notification statute with important new security requirements for anyone doing business with the state. (Public Act No.15-142, “An Act Improving Data Security and Agency Effectiveness –  “the Act”.)” State contractors must comply with this new law by October 1, 2017. The Act includes some important new requirements and a few modifications to existing laws regulating personal information.  These comprehensive new security requirements include mandatory security training, certifications and agency oversight. (See What’s Required of Contractors below.)

Briefly, the Act will:

  • impose extensive new security requirements on contractors that provide goods or services to the State of Connecticut;
  • require health insurers and certain other entities subject to the jurisdiction of the Department of Insurance to implement a comprehensive information security program;
  • modify the existing Connecticut breach notification law;
  • address state agency data security and data exchange practices; and
  • add new security requirements for smartphones sold to Connecticut purchasers.

This new law applies to all state contractors, health insurers and entities subject to Department of Insurance oversight, which may have access to personal, health or other confidential information.

What’s Required of State Contractors?

In every agreement where a state contracting agency may need to share personal information (PII), protected health information (PHI) or other confidential information (CI) with a contractor, the contractor must:

  1. take precautions to prevent a data breach;
  2. implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
  3. limit access to confidential information only as necessary to complete the contracted services;
  4. maintain confidential information on only secured servers or devises; and
  5. Alert both the state contracting agency and CT Attorney General of an actual or suspected data breach.

Contractors are required to have a data security program including:

  1. security policies for all employees to protect any personal, health or confidential information accessed, used, stored or transported;
  2. reasonable restrictions on accessing confidential information;
  3. at least once annually, policies and security measures must be evaluated and updated; and
  4. All employees with access to confidential information must be given security awareness training provided by the state contracting agency.

Important New Requirements for Security Breach Notifications

Many other federal and state laws already require many of the security protections required by this new law, however, not all laws are consistent and this law is intended to provide additional protections to state residents, as well as provide clearer breach notification requirements.

Data breach notification under this new law requires:

  • Notices must be provided to the consumers no later than 90 days after discovering a breach, unless shorter time notice is required under federal law; and
  • Notices must include an offer that includes identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least one year.
  • The consumer notification must also include information about how to enroll in the service and how to place a credit freeze on their credit file.

Comprehensive Information Security Program:

By October 1, 2017, any person or entity subject to the Act must have a comprehensive information security program in place to safeguard the PII, PHI or CI of insured or enrollees. Also, each company must certify annually to the Insurance Department demonstrating it maintains a program in compliance with the Act. The Attorney General and Insurance Commissioner will have oversight authority under the new law and may also request a copy of a company’s program to determine compliance.

The program requirements apply to every:

  1. health insurer, HMO, and other entity licensed to write health insurance in CT;
  2. pharmacy benefits manager;
  3. third-party administrator that administrates health benefits; and
  4. utilization review company.  Just like many of its federal counter-parts, such as health and finance laws like HIPAA and GLBY, each Security Program must be reviewed at least once annually, be in writing and include appropriate administrative, technical, and physical safeguards to protect data.

Of note is the additional provision prohibiting sales of new smartphone models in CT unless it has hardware or software that enables authorized user to disable smartphone’s essential feature.

Lastly, and very importantly, the Attorney General has the authority to investigate potential violations by State contractors and bring civil actions for violations.  So compliance and enforcement must be taken seriously.  The Act also empowers Department of Insurance to enforce the information security program requirements for health insurers and other entities subject to the information security requirements. State Department of Education can ban a contractor from receiving access to education records for up to five years if a breach involves the contractor’s access to education records.

_______________________________________________________________________________

In additional to our firm’s general counsel services advising diverse industry clients on a wide range of day-to-day legal and business matters, we have extensive expertise advising clients on best practices for avoiding cyber threats; and if the worse should occur, have extensive, hands-on experience guiding clients through the critical steps that must be taken to respond to security incidents and data breaches.  We welcome your inquires on this important subject and how our firm can help you avoid these risks.

You’ve been hit with Ransomware – Now what?

You’ve been hit with Ransomware  –  Now what? And is it a reportable breach?

Well, that depends.  Given the dramatic rise in ransomware attacks recently, many regulators have issued formal guidance that it’s presumed a reportable breach.  That is, unless you can prove otherwise – prove being the operative word here. If you haven’t taken a look at our blog post, below, on the “Alarming Increase of Ransomware” and what you can do to avoid it, please take a moment to review our important recommendations.

To determine if a ransomware attack is a reportable breach under privacy and security laws such as HIPAA/HITECH Privacy and Security Rules and other consumer protection laws, we have to start with how a breach is defined.  Under HIPAA laws, a breach is defined: as the unauthorized or impermissible “acquisition, use or disclosure” of protected health information (“PHI”), which compromises the privacy or security of the protected information.  Many other privacy and security laws governing protected information have similar definitions that boil down to whether or not personal, health or other confidential information (“PII”, “PHI”, ePHI or “CI”) was compromised or compromise would be likely.

There are now at least 200 different “families” (variants) of ransomware, some more sophisticated than others. The most commonly used ransomware “wraps” encryption over data locking users out of infected devises or networks (through a locking devise the attacker controls).  An attack doesn’t necessarily mean that confidential data has been accessed, used or viewed, but an analysis is required by many federal and state privacy and security laws and you don’t want to get it wrong.  And there’s newer ransomware out there that’s doing more than just encrypting, it’s pulling information such as the amount of records encrypted or other information so they can charge a higher ransom.

THIS IS NOT A SCREEN YOU WANT TO SEE!

your computer has been encrypted pic

 If you visit the websites of many federal and state regulators, including HHS, OCR and the FBI, you’ll see just how serious and prevalent this problem is. Attackers especially like targeting hospitals, government agencies and others with critical or sensitive information, and many are using newer versions of ransomware, hybrid ransomware, which infects a system, but stays quiet behind the scenes loading other malware that allows data to be viewed or accessed by other third parties.  Cyber thieves are known to advertise on the Dark Web auctioning off information and access to the highest bidder (in the same way pools of stolen credit card information are illegally auctioned off to the highest bidder).  By providing access to confidential data to other unauthorized users,  the definition of breach is met.  In guidance released late last year, HHS announced that “the presence of any ransomware (or any malware for that matter) on a covered entity’s or business associate’s computer is a Security Incident under the HIPAA rules, and therefore, requires prompt investigation, remediation and possible notification.  Once the ransomware is detected, the affected entity must promptly initiate the required security analysis and reporting procedures. See 45 C.F.R. 164.308(a) (6). Whether or not the presence of ransom ware would be a reportable breach under HIPAA or other security laws is a fact specific question.  Know what’s required!

Which begs the question – how does an organization prove protected confidential data wasn’t improperly used or compromised?  (Or whether it was and must be reported!) It may not be fast or easy, but it’s in organization’s interests to quickly take steps to determine (and document) its findings.  In its recent Guidance, HHS has taken the position that unless the affected entity can demonstrate that there is “… low probability that PHI has been compromised”, based on the HIPAA Breach Notification Rule factors, a breach is presumed.   If other types of regulated personal data are potentially at risk and it can be established (and documented in a justifiable, reasonable way) that ransomware only wrapped or encrypted data and the data was never viewed, used, accessed or moved off servers or devises, it may not be a reportable breach, but you have to get it right. (The exact type and variant of malware and exfiltration attempts and other information is critical to verify.)

The affected entity should immediately put its Incident Response Plan into action.  (Let’s hope there is an Incident Response Plan, as this isn’t the ideal time to try to figure it out.  And I’d like to point out that everyone regulated under HIPAA and many other similar laws is required by law to have an incident response plan and have other security steps in place such as training all workforce members annually.  Big fines will be coming to those who don’t take this seriously and don’t have legally compliant plans in place.)   Besides the many smart business reasons to establish an incident response plan, many federal and state laws require it.

Ransomware attacks in the healthcare sector in particular and other organizations holding confidential data are becoming much more common and sophisticated.  The consequences of a ransomware attack on the delivery of healthcare and other critical systems is staggering – computer networks and devises are immediately locked down, preventing access to data and systems with potentially catastrophic results.  It’s critical to respond quickly when a suspected or known security incident occurs.  And if it’s a ransomware attack, the consequences will be immediate!

Training employees on what to look out for is critical – and required!

bad guy pic

Defending against security risks must be a top priority for every organization.  HIPAA and other similar laws require ALL workforce personnel with access to systems and data to be trained at least once annually.  This is the first thing regulators will look at and the best way to avoid attacks.  If training is deficient, or all workforce members aren’t being trained annually, then big fines and other sanctions will be imposed.  Proper training is the single, most important part of protecting your organization from ransomware and similar cyber threats – make sure every person with access to a computer system or devise is trained on what to look out for!  Most security incidents are avoidable and result from the “human factor”: someone opening something, clicking without thinking and now it’s too late – systems and data are compromised or worse. Preventing attacks is a far better way to go and far less costly proposition than reacting after an attack occurs.  I’d also like to point out that if you elect to pay the ransom, there’s no guarantee the data will be there or won’t be compromised.  The FBI and many other regulators recommend not paying ransom to hackers as a disincentive to the huge number of attacks occurring and provide the same caution we do that the data may not be there even after you pay up.   There’s no guarantee.  Following the advice we’ve outlined for avoiding the problem in the first place and having a back-up plan ready, just in case (See our July, 2016 Client Alert) is a far safer, better way to go.  ______________________________________________________________________________

In addition to acting as general counsel and compliance officer to diverse business organizations, we’re frequently called on to advise clients regulated under HIPAA/HITECH laws on the best ways to assess risks and ensure compliance; and if the worst should happen, how to respond.  We welcome your inquiries on our general business and corporate legal services; and would be glad to speak with you specifically about how we can help your organization with avoiding these costly, disruptive problems.

Tegan Blackburn LLC       www.teganblackburn.com             All Rights Reserved.

National Cyber Security Awareness Month

National Cyber Security Awareness Month recognized every October is a collaborative effort between government and industry to ensure everyone has the resources to stay safe online.  Now in its 6th anniversary and with more and more sophisticated cyber crime attacks affecting individuals and organizations of all sizes from large to small – Be Cyber Savvy.  Cyber crime affects us all, not just the highly publicized targets we keep hearing about.  Learn what you can do and STOP and THINK before you CLICK.   nat-cyber-sec-mo-download

Anyone can be a victim of cyber crime, which can result in stolen IP, theft of personal information, disruption of computer systems and critical services; not to mention the high costs of responding to incidents and ransom demands made by cyber criminals who’ve locked down your computer or network until you pay up.  Ransomware attacks alone (those that are known and reported) have greatly increased in number and sophistication this past year with some 200 new types of ransomware now lurking online. The FBI reported 300,000 complaints to its cyber crimes unit this year totaling over $800 million in losses.  Congress reported 300 billion of losses nationally due to cyber theft this past year.  Every U.S business and individual with a devise and online access needs to keep up with what’s going on in cyberspace and the latest threats from ransomware to spear phishing – and learn what you can do to stay safe online.

Recognizing the problem is the most important part of fighting the problem.  So before you open it, STOP & THINK, before you CLICK. If you’re in a leadership role in a public or a private organization and would like more information what you can do to avoid these ever-present threats, we’d be glad to help you with adopting the right employee awareness training and risk management techniques to keep your organization ahead of these costly, unnecessary problems.  It’s imperative that organizations keep themselves abreast of developments in cyberspace and establish suitable defenses.  Have you taken the right steps to protect yourself?