CLIENT ALERT – NEW CORPORATE TRANSPARENCY ACT REQUIREMENTS

Important, recent federal legislation primarily impacting smaller businesses, summarized below, requires entities meeting the “reporting criteria” to submit a Beneficial Ownership Information (BOI) Report to the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) by January 1, 2025.

This new Corporate Transparency Act (CTA) requires many privately-held corporations, LLCS and other business entities to disclose information about their owners so as to increase transparency, prevent money-laundering or other illegal activities.  After the initial filing, additional filings are usually not necessary unless to update or correct information.

CTA imposes these reporting obligations on domestic and foreign entities within the scope of “reporting company” under the statute.  Unless exempt, entities are required to file a Beneficial Ownership Information (BOI) report with the U.S. Department of Treasury Financial Crimes Enforcement Network (FinCEN). The reporting system can be accessed here: https://boiefiling.fincen.gov/.   

This law largely impacts smaller and unregulated entities. “Large operating companies” those with more than 20 full-time employees that maintain an operating presence in the U.S. and have filed a prior, federal tax return reporting 5MM or more in gross receipts or sales are exempt.   There are exemptions for other entities such as non-profits, banks and other financial institutions that are already highly-regulated.  

Reporting companies must provide legal names and trademarks, as well as current U.S. addresses, which could be either the address of the main business site or, for foreign-based companies, their U.S. operational location. Companies will also need to provide a taxpayer identification number and specify the jurisdiction where formed or registered.  Companies that don’t comply by the filing deadline could face fines of up $500/day or criminal sanctions. 

We encourage our small business clients, subject to this new law, to file a BOI before the year-end filing deadline and to contact us if there are any questions.

“FORCE MAJEURE” CLAUSES – THE PANDEMIC HIGHLIGHTS ITS CRITICAL IMPORTANCE

What is it and why’s it so important?

Force majeure literally means “superior force”.  This term is derived from French law and refers to an event or effect that cannot be reasonably anticipated or controlled.  When used correctly, a force majeure clause in a commercial contract can provide a party (or both parties) with a legal defense to not performing their contractual obligations (or suspending performance until a later time).  

The current pandemic has brought to the forefront of business leaders throughout the country and throughout the globe, with businesses forced to close and supply chains interrupted, the critical importance of limiting serious consequences of situations like the current governmental shut-downs across the globe. All of which are literally beyond their control.  Whenever there’s been wide-spread commercial loss or business interruption, such as Sept. 11th, the devastation caused by Hurricane Katrina and now with the entire world facing a global pandemic having the right tools at your disposal is critical to every business’ survival.

What’s in a force majeure clause (or not) is very important.  Many of these clauses will define the events the parties agree fall under the “umbrella” of a force majeure event allowing a party to completely terminate performance, cancel a contract or suspend performance to a later time.  Uncontrollable events such as wars, labor stoppages, extreme weather, including hurricanes, tornadoes, volcanic eruptions, often referred to “Acts of God”, condemnations or similar governmental declarations such as states of emergency making performance impossible are among events commonly included in force majeure provisions.  Most commercial contracts contain these important provisions (all contracts should) but sometimes these provisions are too general or so specific they can cause parties wishing to enforce them with unnecessary problems, or in some instances this important provision is completely overlooked and not included in the contract.

When these provisions have been carefully drafted, it can maximize the protections afforded parties, in effect, legally excusing a party’s performance due to unexpected events beyond that party’s control.  (I point out that these provisions do not apply when a party has been negligent or lacked good faith in performing its commercial obligations – meaning what a party has the capacity to perform it’s required to perform (within the bounds of “commercially reasonable” is often the test) and when performance has been made impossible (or is not commercially reasonable causing a party exorbitant additional costs for example) due to elements beyond its control – what’s in the contract, the specific contract language, becomes critically important. If the provision is too general or does not include certain “events”, it could pose a big stumbling blocks for the parties down the road facing an issue such as the current pandemic.  Whether a party would be successful in utilizing such a clause depends on several things, starting with the specific language in the contract, and then the applicable law – what governing law applies to the contract, what are the specifics of the contract deliverables, etc.?  Business insurance due to business interruption may be also be an available resource, but depends on what’s covered or excluded from the policies – review policy provisions with care.

There are also several other potential remedies a party may be able to utilize in current contracts that have limited or no force majeure provision, when performance is impossible due to circumstances beyond their control.  In some instances, a party may have other relief available under the U.C.C. (Uniform Commercial Code), international codes of conduct, or other laws, to the extent those laws may apply to the particular transaction.  Our firm has had a high rate of success over the past few months terminating contracts or suspending contract performance through our negotiations resulting in clients receiving back deposits paid on commercial real estate development deals, re-negotiating lease terms and successfully revising or terminating other commercial contracts. 

Parties to commercial contracts will always be best served by customizing these critically-important force majeure clauses (as well as the other critical contract provisions) to reflect the risks, circumstances and specifics of the business transaction and specific industries involved.  We’re encouraging all businesses to review, and update, with the assistance of experienced business counsel, all currently-used standard commercial contracts, as well as more complex, customized commercial contracts to ensure the best possible protections and outcomes can be achieved in all on-going ventures and new contracts.  

We welcome your inquires on how we can assist.

An Entrepreneur’s Journey, through Silicon Valley

Silicon Valley has been in the news a lot lately.  And will continue to be.  The critically important privacy and data security issues going on with Facebook and elsewhere aren’t going away any time soon.  Regardless of which side of the “regulate them more heavily or not” you’re on, every U.S. business and consumer can and should be taking to steps, every day, to protect themselves from the ever-present online threats, which brings me to today’s subject, the journey entrepreneurs embark on.  The award-winning HBO Series, “Silicon Valley”, beautifully demonstrates it all, the good, the bad, the ugly.

When asked about what I do, I tend to go through the list – primarily outside general counsel, also chief compliance officer, to a variety of privately-owned companies from tech companies to software developers, healthcare providers, architectural firms, real estate developers, retailers, restaurants, breweries, CPA firms, and others; trusted, “go to” legal advisor to start-up ventures and more mature, national enterprises for the last two decades.  Doing deals here on the east coast and throughout Silicon Valley.

On any given day, it’s often so wide ranging, it isn’t given to short synopsis.  But, my experience working alongside business leaders has been humorously, surprisingly realistically portrayed in the critically acclaimed HBO series Silicon Valley – a show about a few techie guys starting out in a garage with an idea that could revolutionize how we communicate online, (sound familiar?).

There’s really no short hand way to explain what I do on any given day, but odds are it’s perfectly encapsulated in any given episode of Silicon Valley. If there was a short way to explain pretty much what I do in my law practice, the Silicon Valley series, depicts it all, perfectly setting the stage for what riding the wave called “entrepreneurship” is really all about.  One day closing a time-sensitive buyout of a client’s software company and the next responding to a federal trademark infringement claim for a new business owner, who didn’t get counsel before going to market arousing the unwanted attention of a big, internationally-recognized brand.

If you haven’t seen it, the series revolves around the fictional Silicon Valley company “Pied Piper” a company with a world changing idea, but little else.   

“Silicon Valley”

They wouldn’t have made it past season one, episode one – it just started its fifth season if the fumbling company’s founders hadn’t decided to go it alone, not hire legal counsel (or any other advisors for that matter) and so entertainingly depicting everything that can and probably will happen at some point over the life of a business, certainly almost everything that can go wrong, because of that all important first decision .

Like many businesses, real or fictional, Pied Piper developed a product with great potential and, well of course, money’s in short supply. While most of the CEOs and other business people I work with in my real day job are incredibly professional and good at what they do, not everyone we encounter knows what they’re doing or wants to play by the rules (short hand for not really legal or ethical).  Sometimes new businesses who don’t have counsel or aren’t savvy enough to avoid unscrupulous potential partners look for some “short hand” way to get there. Often this is their first mistake.

Silicon Valley Series, the early tribe

Silicon Valley takes us on a meandering, often remarkably accurate path of what can does go wrong – crooked dealings with venture capitalists, non-disclosure agreements that blow up big time, in-fighting among the board of directors, a litany of lawsuits (completely avoidable, of course), succession issues, conflicts of interest, non-compete clauses, employment contracts and more…   All sorts of things.  All sorts of expensive, unnecessary things.   But, therein, lies the draw of the series.

In short, pretty much all the things any company would be dealing with from its formation from attracting investors, protecting intellectual property, guarding proprietary information, gaining market share, negotiating complex contracts to resolving business disputes and much more…

Exactly the kinds of things I do every day, helping clients get there, closing deals, capturing opportunities, evaluating risks, negotiating settlements and achieving good results while helping them avoid the inevitable pitfalls in today’s increasingly complex business environments. Legal issues are, of course, endemic in any business undertaking.  And Silicon Valley along with any number of real life examples I’m recalling from decades of working alongside CEOs prompted me to share my insights – on hiring someone with the right talent and experience before making a commitment, before signing on the dotted line, before being  “knee deep in a big mess” is one of the smartest decisions any business will make.  The moral of the story, and a good general rule of thumb, calling on legal counsel only after the fact for that big, probably unnecessary, “clean up” job is going to cost a lot more and I’m not just talking about money.  One of the most important things a good advisor does is protecting the client and limit the risks, by knowing how to work around the inevitable issues, while getting clients to where they need to go.

Silicon Valley Series, women who know how to get things done

And we haven’t even gotten to some of the top concerns faced by businesses today such as growing cyber security risks, trademark infringement claims, and ever-present bots out there trolling the internet causing expensive, disruptive, completely unnecessary problems.

While its viciously funny in the series, not so funny in real life.

I’ve dealt with many of these issues over the past two decades and have seen, too closely, the tremendous, unnecessary, financial and personal strain these kinds of issues take on the unprepared. The human and financial costs can be staggering enough to do a business in.

Silicon Valley is incredibly funny, sometimes hysterically so, sometimes ingenious, profane, and ultimately enormously entertaining. It takes the viewer on some interesting, yet highly realistic, twists and turns.  Because Pied Piper is fictional, its journey is entertaining and, of course, much more dramatic than real life.  That said, the series’ attention to detail is astounding. And in highly-instructive what can and does go wrong. Unlike their fictional company, the writers and producers of Silicon Valley, show the kind of research, attention to detail, and planning that would be the envy of any company. They employ hundreds of volunteers writing and reviewing scripts to get it as close to reality as possible – among them academics, entrepreneurs, lawyers, employees at Google, Amazon, Netflix and other well-recognized name companies. A show about a rudderless company is run by the most detailed oriented show runners in the business.

Like many successful tech companies and other businesses, Silicon Valley’s founder, may be a genius in one area, maybe two, but knows dangerously little about the complexities of starting and running a business. Or, how to protect his ideas and investments. Or, knowing where the cracks in the sidewalk lie.

Nicely said, successful entrepreneurs know it takes vision and the framework to get there

Whether company founders are brilliant, of the “genius variety” or otherwise,  (and p.s. it’s not a requisite), it’s just human nature to have a myopic, hyper-focus on one (or maybe two) areas of expertise. Which isn’t conducive to being able to see limitations in other areas. Entrepreneurs by nature, are typically reluctant to delegate or give up control of their creations. After all, it’s their baby.

All too often, new businesses go about it all by trial and error, while trying to save money, listening to friends, who are remarkably short on expertise, living from day to day. In Silicon Valley as in the real world, a very costly mistake.

Pied Piper, like many smaller start-ups can move quickly, that’s great.  But without adequate funding or even with funding sometimes on the way, businesses hesitate to consult properly qualified advisors – while relying on anecdotes of how things are done. They’ll stumble through, well, everything, and end up spending far more time, money and energy than if they had good, proactive advisors on board from the outset.

To say Pied Piper stumbles out of the gate would be an understatement, they find out quickly, just before a major meeting about funding, that their product name has already been taken.  Oops. How’d that happen?  Really, No one bothered to do a trademark search! The subsequent negotiations to buy the name are as humorous as they are sobering. These kinds of issues have been significantly on the rise over the past few years, and what I’ve seen, not remotely as humorously, in my own practice – pitching an idea or going to market without securing the right protections is a huge, costly mistake.

One thing about our friends at Silicon Valley, every time they make an error, sooner or later they pay for it.  Big time. Every mistake or rushed judgment they make comes back to haunt them.  Every single one. While it’s all a bit over the top keep us entertained, it’s realistic . . . to a point.

A business can only survive so many hard knocks before it fails, and permanently so.  Pied Piper gets knocked down and gets up over and over again, well it’s a series, and after all, it’s coming back next week, because the show is vastly funny and entertaining. Not so in the real world.  Too many entrepreneurs, often with great ideas, end up in really unfortunate and unnecessary situations only recognizing when it’s too late the value of good advice.  The cost in terms of stress, time, money, self-recrimination, business disruption or failure isn’t worth it.  It has charm in the series, it most certainly has no charm in the real world.

Anyone who’s seen the series, and by all accounts virtually everyone in the real Silicon Valley, tech companies and other start-ups around the country, instantly get it.   I’ve discovered in my many years of practice; how hard it is sometimes to adequately portray how early issues will have long-lasting effects compounding through the life of a business as other issues arise through the course of a day.

So what’s the bottom line?  There’s a world full of opportunity out there.  If entrepreneurship is your style, go for it!

Enjoy the ride. It can be incredibly rewarding. There’s truly nothing like it. But come prepared. Having the right team of trusted advisors around you, that you can call in quickly, who know you and understand the business, that’s a smart strategy for success.

Spoiler Alert: I think you’ll find Silicon Valley vastly more entertaining if you never experience any of it.

© Tegan Blackburn 2019.  All Rights Reserved.

CONNECTICUT STATE CONTRACTORS – NEW DATA BREACH LAW

Our blog this month highlights some important changes to Connecticut’s data breach notification statute with important new security requirements for anyone doing business with the state. (Public Act No.15-142, “An Act Improving Data Security and Agency Effectiveness –  “the Act”.)” State contractors must comply with this new law by October 1, 2017. The Act includes some important new requirements and a few modifications to existing laws regulating personal information.  These comprehensive new security requirements include mandatory security training, certifications and agency oversight. (See What’s Required of Contractors below.)

Briefly, the Act will:

  • impose extensive new security requirements on contractors that provide goods or services to the State of Connecticut;
  • require health insurers and certain other entities subject to the jurisdiction of the Department of Insurance to implement a comprehensive information security program;
  • modify the existing Connecticut breach notification law;
  • address state agency data security and data exchange practices; and
  • add new security requirements for smartphones sold to Connecticut purchasers.

This new law applies to all state contractors, health insurers and entities subject to Department of Insurance oversight, which may have access to personal, health or other confidential information.

What’s Required of State Contractors?

In every agreement where a state contracting agency may need to share personal information (PII), protected health information (PHI) or other confidential information (CI) with a contractor, the contractor must:

  1. take precautions to prevent a data breach;
  2. implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
  3. limit access to confidential information only as necessary to complete the contracted services;
  4. maintain confidential information on only secured servers or devises; and
  5. Alert both the state contracting agency and CT Attorney General of an actual or suspected data breach.

Contractors are required to have a data security program including:

  1. security policies for all employees to protect any personal, health or confidential information accessed, used, stored or transported;
  2. reasonable restrictions on accessing confidential information;
  3. at least once annually, policies and security measures must be evaluated and updated; and
  4. All employees with access to confidential information must be given security awareness training provided by the state contracting agency.

Important New Requirements for Security Breach Notifications

Many other federal and state laws already require many of the security protections required by this new law, however, not all laws are consistent and this law is intended to provide additional protections to state residents, as well as provide clearer breach notification requirements.

Data breach notification under this new law requires:

  • Notices must be provided to the consumers no later than 90 days after discovering a breach, unless shorter time notice is required under federal law; and
  • Notices must include an offer that includes identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least one year.
  • The consumer notification must also include information about how to enroll in the service and how to place a credit freeze on their credit file.

Comprehensive Information Security Program:

By October 1, 2017, any person or entity subject to the Act must have a comprehensive information security program in place to safeguard the PII, PHI or CI of insured or enrollees. Also, each company must certify annually to the Insurance Department demonstrating it maintains a program in compliance with the Act. The Attorney General and Insurance Commissioner will have oversight authority under the new law and may also request a copy of a company’s program to determine compliance.

The program requirements apply to every:

  1. health insurer, HMO, and other entity licensed to write health insurance in CT;
  2. pharmacy benefits manager;
  3. third-party administrator that administrates health benefits; and
  4. utilization review company.  Just like many of its federal counter-parts, such as health and finance laws like HIPAA and GLBY, each Security Program must be reviewed at least once annually, be in writing and include appropriate administrative, technical, and physical safeguards to protect data.

Of note is the additional provision prohibiting sales of new smartphone models in CT unless it has hardware or software that enables authorized user to disable smartphone’s essential feature.

Lastly, and very importantly, the Attorney General has the authority to investigate potential violations by State contractors and bring civil actions for violations.  So compliance and enforcement must be taken seriously.  The Act also empowers Department of Insurance to enforce the information security program requirements for health insurers and other entities subject to the information security requirements. State Department of Education can ban a contractor from receiving access to education records for up to five years if a breach involves the contractor’s access to education records.

_______________________________________________________________________________

In additional to our firm’s general counsel services advising diverse industry clients on a wide range of day-to-day legal and business matters, we have extensive expertise advising clients on best practices for avoiding cyber threats; and if the worse should occur, have extensive, hands-on experience guiding clients through the critical steps that must be taken to respond to security incidents and data breaches.  We welcome your inquires on this important subject and how our firm can help you avoid these risks.

You’ve been hit with Ransomware – Now what?

You’ve been hit with Ransomware  –  Now what? And is it a reportable breach?

Well, that depends.  Given the dramatic rise in ransomware attacks recently, many regulators have issued formal guidance that it’s presumed a reportable breach.  That is, unless you can prove otherwise – prove being the operative word here. If you haven’t taken a look at our blog post, below, on the “Alarming Increase of Ransomware” and what you can do to avoid it, please take a moment to review our important recommendations.

To determine if a ransomware attack is a reportable breach under privacy and security laws such as HIPAA/HITECH Privacy and Security Rules and other consumer protection laws, we have to start with how a breach is defined.  Under HIPAA laws, a breach is defined: as the unauthorized or impermissible “acquisition, use or disclosure” of protected health information (“PHI”), which compromises the privacy or security of the protected information.  Many other privacy and security laws governing protected information have similar definitions that boil down to whether or not personal, health or other confidential information (“PII”, “PHI”, ePHI or “CI”) was compromised or compromise would be likely.

There are now at least 200 different “families” (variants) of ransomware, some more sophisticated than others. The most commonly used ransomware “wraps” encryption over data locking users out of infected devises or networks (through a locking devise the attacker controls).  An attack doesn’t necessarily mean that confidential data has been accessed, used or viewed, but an analysis is required by many federal and state privacy and security laws and you don’t want to get it wrong.  And there’s newer ransomware out there that’s doing more than just encrypting, it’s pulling information such as the amount of records encrypted or other information so they can charge a higher ransom.

THIS IS NOT A SCREEN YOU WANT TO SEE!

your computer has been encrypted pic

 If you visit the websites of many federal and state regulators, including HHS, OCR and the FBI, you’ll see just how serious and prevalent this problem is. Attackers especially like targeting hospitals, government agencies and others with critical or sensitive information, and many are using newer versions of ransomware, hybrid ransomware, which infects a system, but stays quiet behind the scenes loading other malware that allows data to be viewed or accessed by other third parties.  Cyber thieves are known to advertise on the Dark Web auctioning off information and access to the highest bidder (in the same way pools of stolen credit card information are illegally auctioned off to the highest bidder).  By providing access to confidential data to other unauthorized users,  the definition of breach is met.  In guidance released late last year, HHS announced that “the presence of any ransomware (or any malware for that matter) on a covered entity’s or business associate’s computer is a Security Incident under the HIPAA rules, and therefore, requires prompt investigation, remediation and possible notification.  Once the ransomware is detected, the affected entity must promptly initiate the required security analysis and reporting procedures. See 45 C.F.R. 164.308(a) (6). Whether or not the presence of ransom ware would be a reportable breach under HIPAA or other security laws is a fact specific question.  Know what’s required!

Which begs the question – how does an organization prove protected confidential data wasn’t improperly used or compromised?  (Or whether it was and must be reported!) It may not be fast or easy, but it’s in organization’s interests to quickly take steps to determine (and document) its findings.  In its recent Guidance, HHS has taken the position that unless the affected entity can demonstrate that there is “… low probability that PHI has been compromised”, based on the HIPAA Breach Notification Rule factors, a breach is presumed.   If other types of regulated personal data are potentially at risk and it can be established (and documented in a justifiable, reasonable way) that ransomware only wrapped or encrypted data and the data was never viewed, used, accessed or moved off servers or devises, it may not be a reportable breach, but you have to get it right. (The exact type and variant of malware and exfiltration attempts and other information is critical to verify.)

The affected entity should immediately put its Incident Response Plan into action.  (Let’s hope there is an Incident Response Plan, as this isn’t the ideal time to try to figure it out.  And I’d like to point out that everyone regulated under HIPAA and many other similar laws is required by law to have an incident response plan and have other security steps in place such as training all workforce members annually.  Big fines will be coming to those who don’t take this seriously and don’t have legally compliant plans in place.)   Besides the many smart business reasons to establish an incident response plan, many federal and state laws require it.

Ransomware attacks in the healthcare sector in particular and other organizations holding confidential data are becoming much more common and sophisticated.  The consequences of a ransomware attack on the delivery of healthcare and other critical systems is staggering – computer networks and devises are immediately locked down, preventing access to data and systems with potentially catastrophic results.  It’s critical to respond quickly when a suspected or known security incident occurs.  And if it’s a ransomware attack, the consequences will be immediate!

Training employees on what to look out for is critical – and required!

bad guy pic

Defending against security risks must be a top priority for every organization.  HIPAA and other similar laws require ALL workforce personnel with access to systems and data to be trained at least once annually.  This is the first thing regulators will look at and the best way to avoid attacks.  If training is deficient, or all workforce members aren’t being trained annually, then big fines and other sanctions will be imposed.  Proper training is the single, most important part of protecting your organization from ransomware and similar cyber threats – make sure every person with access to a computer system or devise is trained on what to look out for!  Most security incidents are avoidable and result from the “human factor”: someone opening something, clicking without thinking and now it’s too late – systems and data are compromised or worse. Preventing attacks is a far better way to go and far less costly proposition than reacting after an attack occurs.  I’d also like to point out that if you elect to pay the ransom, there’s no guarantee the data will be there or won’t be compromised.  The FBI and many other regulators recommend not paying ransom to hackers as a disincentive to the huge number of attacks occurring and provide the same caution we do that the data may not be there even after you pay up.   There’s no guarantee.  Following the advice we’ve outlined for avoiding the problem in the first place and having a back-up plan ready, just in case (See our July, 2016 Client Alert) is a far safer, better way to go.  ______________________________________________________________________________

In addition to acting as general counsel and compliance officer to diverse business organizations, we’re frequently called on to advise clients regulated under HIPAA/HITECH laws on the best ways to assess risks and ensure compliance; and if the worst should happen, how to respond.  We welcome your inquiries on our general business and corporate legal services; and would be glad to speak with you specifically about how we can help your organization with avoiding these costly, disruptive problems.

Tegan Blackburn LLC       www.teganblackburn.com             All Rights Reserved.

The Latest Security Threat – Ransomware

Ransomware Increasing in Alarming Numbers

The growing sophistication and volume of cyber security threats is a serious, ever-present risk.  Here’s the latest one – ransomware.  Today’s blog will help you understand what this latest threat is, how to avoid it and if the worst thing happens, how to respond to it.

Just how serious is it? If you visit the websites of any federal regulators or enforcement agencies such as the FBI, HHS, OCR or the Secret Service, you’ll see what a big threat this has become – some estimating a 3,500% increase of ransomware just this year.  Readily available, free open source code makes for easy exploits by cyber thieves. With the return on investment for cyber criminals very high, everyone from mom and dad to the local grocer, as well as big business is at risk.

bad guy pic

There are a lot of different types of ransomware out there, but all of them have the same purpose. And it’s pretty much what it sounds like – they kidnap your data, leaving you at the mercy of criminals, who’ve taken over and locked down your computer (using an encrypted locking device) until you pay up.  This is just the latest in highly profitable criminal enterprises out there lurking on the internet, hitting businesses and individuals alike with software capable of locking down a computer or entire computer network with just one wrong key stroke.

The typical way ransomware takes over is by:

  • Drive-by downloads – all it takes is a visit to malicious website, clicking a pop-up ad or opening an infected email attachment. This often called the “human factor” – people clicking before thinking, not taking a moment to consider if what they’re about to open is legit.  Click, and it’s too late, they’ve taken over and locked you out until you pay up.
  • Exploiting program vulnerabilities if you don’t run and update anti-virus and malware detection (settings to automatic updates is best); you’ve left the door wide open to cyber criminals gaining easy entry to your computer system.   The hackers and crackers, or whatever you want to call them, aren’t targeting you, they have malware spiders and bots running behind the scenes 24/7 looking for any open doorway.

 To up the ante, criminals often use scare tactics displaying logos and images of known law enforcement agencies threatening punishment or imprisonment if payment isn’t made.  All of this works at lightning speed and without warning.  As soon as the pop-up ad, email attachment or link containing ransomware is opened, everything is immediately encrypted preventing access to the computer or network.  The attacker then demands payment (usually requiring purchase and delivery of unregulated bit coins) before giving you the decryption key that, presumably, allows access to the computer.

What can you do to avoid this?    computer locked pic                                      

  1. Always back up your data: Frequent (sometimes redundant) backups of data is the best policy – if the worst happens, your data can be promptly restored.
  2. Think before clicking: Don’t click pop-up ads, open attachments or unrequested links unless you know and trust the source.  A lot of these infected emails and links contain red-flags and everyone should be trained on what to look out for.
  3. Secure your PC: Make sure you run and update adequate anti-virus and malware detection software on all systems. Check all system settings so they automatically update and apply appropriate patches.
  4. Don’t Pay: If you think you’ve been the victim of ransomware attack, don’t panic and rush to pay. There’s no guaranty after making payment that your computer’s functionality and files will be restored. In some instances, more recent less “robust” versions of this malware delete all your data so even after you pay up, there’s no guarantee your data will be here. In some instances the Secret Service, FBI or other law enforcement officials should also be contacted.  These agencies typically recommend not paying up as a disincentive to the bad guys, who are often here and gone, beyond the reach of U.S. officials.  (Our next blog will discuss the intricacies posed by a number of federal and state privacy, security and breach notification laws such as HIPAA, which may require notifications and additional steps to be taken.)

If you’ve done what we recommend, frequently backing up files and programs, then using your own resources to quickly restore functionality is a far better way to go than negotiating with criminals and hoping for the best.  Of course, avoiding the problem all together is the goal and we’d be glad to assist.

_____________________________________________________________________

Our firm frequently advises clients and provides training on how to avoid these all too present security threats, and if the worst should happen, how to respond.  We welcome your inquiries on our business and corporate legal services; and would be glad to speak with you specifically about our extensive background and expertise helping clients develop and implement the best practices, policies and procedures to avoid these unnecessary, costly problems.

Tegan Blackburn LLC                      www.teganblackburn.com            All Rights Reserved.

New Connecticut Law Restricts Non-Compete Agreements with Physicians

New legislation significantly changes the law regarding covenants not to compete involving physicians.  This new law effective July 1, 2016 (Public Act 16-95) is intended to increase competition among healthcare providers.  While there has never been a really bright line rule for enforcing non-competes in Connecticut, and elsewhere, courts typically considering the “reasonableness” of the restrictions imposed.  With this new law, Connecticut now has a bright line rule limiting physician non-competes to no more than: (a) 1 year; and (b) 15 miles from the “primary site” where the physician practices.non compete pic

The reasonableness standard that has always applied to non-competes will continue to be important.  In any enforcement action, physician non-competes will continue to be enforceable only if: (a) necessary to protect a legitimate business interest; (b) reasonable in limiting time, geographic scope and practice restrictions; and (c) otherwise consistent with law and public policy.  An important drafting note for non-competes and when making hiring decisions is determining (and defining) “the primary site” to avoid conflicts in interpretation and when more than one location may apply.  The “primary site” where the physician practices” is defined as “the office, facility or location where a majority of the revenue derived from the physician’s services is generated.”  The statute also includes additional restrictions for non-competes entered into, amended or renewed, after the effective date, between hospitals, health systems, medical school or medical foundations allowing these covenants to restrict the physician’s right to practice only with another such entity or foundation.

Also, these non-competes will be void and enforceable against a physician if: (1) the employment agreement was not made in anticipation or part of a partnership or ownership agreement and the agreement expires and is not renewed, unless, prior to the expiration, the employer makes a bona fide offer to renew the contract on same or similar terms and conditions; or (2) the employer terminates the employment or contractual relationship without cause.  It’s important for employers to note that if a non-compete drafted under the new law exceeds the scope of its provisions (both the long existing “reasonableness standard” and the new bright line rule defining the time and geographic limitation from the primary site); or if the physician’s employment or contractual relationship is terminated without cause, or the agreement expires, the non-compete will be utterly void and unenforceable.

Lastly, in order to prevail, a party seeking enforcement must prove: (1) the non-compete complies with the new statute in all respects; (2) that they have not violated its provisions; and (3) that actual damages were suffered.

With the important new requirements under this bill, effective July 1, 2016, we can’t stress enough the importance of reviewing existing physician non-competes before contracts are renewed and having counsel prepare or review non-competes for all new hires to ensure they meet the requirements of this new law.  We welcome inquires on how we can assist.

 

 

 

Asset Transfers, How You Hold “Title” Really Matters

canstockphoto15887355

Asset transfers are made for a wide range of legitimate business, estate planning and other reasons.   How assets are titled can make all the difference between effortless, prompt transfers or having costly and often uncertain results.  In the estate planning context, it’s important to get it right before you need it.  Sometimes forms designating beneficiaries (and perhaps forgotten) or how deeds or accounts were set up will completely override what’s stated in a Will or other testamentary documents.  Lifetime transfers of business and personal assets can also be done with far greater ease when assets are properly titled, not leaving the door open for more costly delays or other unpleasant surprises.

When attorneys talk about “titling” assets, we’re talking about who the “legal owner” is.  Married couples will often own real estate as joint tenants with rights of survivorship (JTWROS).  So when a spouse passes away, the title vests 100% to the surviving spouse with ownership passing immediately to the surviving spouse.  This applies to any property provided the property is property titled in “survivorship”.

Alternatively, property is sometimes acquired or owned as “tenants in common” (TIC).  When, for example, multiple family members or unrelated individuals own property acquired through an inheritance or for investment purposes with each holding some specified share of the property.  Property owned as TIC is freely divisible whereas property owned in survivorship is not.  If a TIC owner dies, their share will be transferred in accordance with their Will (or Trust or if owned by a business, as designated in the governing documents) to the named beneficiary.  (If there is no Will or the Will is invalid even bigger problems can arise under state intestacy laws).  Lifetime transfers of TIC properties can pose challenges for the owners who now hold title with who knows who – since interests are freely divisible (unless there is a first right of refusal retained by the other owners in a valid document).  Trusts (or other agreements) can also be utilized by individuals or businesses to provide more seamless transfers.

Property is sometimes held in a sole individual name.  Property owned solely or “individually” at the time of death is considered a “probate asset” requiring a court order to transfer the property; subject to a few of the exceptions if property is deeded though Trusts and properly recorded, etc.  After the death of a spouse, a surviving spouse, who owns the property in her sole name, may wish to create a trust or other testamentary instrument so that property will not require probating and pass directly to heirs.

Each of these types of ownership interests will have dramatically different results so how to hold title should be carefully considered.  When titled properly, real estate, bank accounts and other assets can pass immediately to co-owners, survivors and beneficiaries, after death, without the delay or the involvement of probate court.  In the estate planning context, it’s extremely important to keep in mind that how accounts are titled will override the provisions in a Will.  While there are a number of options, how to take title during lifetime ownership will depend on a variety of factors and there are instances where jointly owned accounts may not be advisable. Many people choose a transfer on death (“TOD”) designee (which works like naming a beneficiary in a Will) so the account will pass automatically to the named TOD designee unlike a joint account, which during lifetime could be accessed and completely drained by any of its owners. Joint accounts should be identified as (JTWROS) and, as noted, there are some precautions to point out as any one of the owners can access, withdraw and make decisions on the account – so care should be taken here.

Keeping in mind that named beneficiaries or TOD election will override any provisions in a Will to the contrary, it’s extremely important to keep up-to-date records of beneficiary designations and document how accounts were set up.  Too often bank records aren’t correct, documents are lost or people forget to update beneficiary designations.  Don’t rely on bank representatives or family members to advise you.  I’ve seen situations where misinformation was provided to clients or mistakes were made by bank representatives causing unnecessary, lengthy delays, because documents prepared long ago were not done correctly or how they were done was not understood.  This can cause assets being transferred in a ways an owner never intended.   It’s critically important to make sure there are no inconsistencies with your wishes and that documents are correctly prepared.  Otherwise, costly, unpleasant, unintended consequences can and do result. The beneficiary designation (again, properly done and documented) will prevail over any contrary provision in a Will care must be taken!  The assistance of qualified legal counsel is important to make sure these avoidable, unintended (and sometimes irreversible) consequences don’t occur.

Preparing documents that meet your needs and reviewing your documents every year or two (or whenever a major life change occurs) is a great way to have peace of mind and feel secure about your future.  Everyone regardless of age should have a Will.  Anyone who owns a business should have a  Business Succession Plan, as well as Will. Having these documents in place before they’re needed is critically important.  If something unplanned occurs, it may be too late. Many times clients believe this will be an overwhelming process and are often surprised by how easy we make this process by listening carefully and explaining options.  There is often a great sense of relief for accomplishing business succession, estate plans or just having a review or update done to confirm all is well. Regardless of age or circumstances, it’s important that documents be properly titled so they can accomplish important goals. There’s nothing worse than finding out documents you prepared sometime ago may completely override what you intended.

Don’t wait – Please contact us today for assistance in reviewing your documents and goals.

At Last – Some Good News for Powers of Attorney

Did you know – until recently there was no Connecticut law requiring banks or financial institutions to accept a Power of Attorney?  Those of you who do know – have likely seen first-hand the problems this caused. A new Connecticut law, at last, has come to the rescue.  (See notes below on Adoption of Connecticut Uniform Power of Attorney Act).  This blog highlights the benefits of the new law and reasons Powers of Attorney are rejected, sometimes for valid reasons, sometimes not:probate image canstockphoto13987862 (2)

Here’s the top 2 reasons Powers of Attorney are rejected: 

  • Drafting problems. Banks, financial institutions and others can and often do refuse to accept a Power of Attorney (POA), because it doesn’t state the specific authority for what the agent wants to do.  For instance, the agent appointed under the POA wants (often needs) to access a safe deposit box, but the document doesn’t specifically mention a safe deposit box.  Documents can be more carefully drafted to avoid these types of problems; and
  • Internal bank policies. Powers of Attorney also get rejected without any really legitimate reason other than “our policy is such and such…” and your document doesn’t meet their policy. While banks came under greater scrutiny since the 2008 Wall Street debacles (through laws like Sarbanes Oxley (SOX) and Gramm Leach Bliley (GLBA) and some of the policies they adopted were intended to protect consumers, all too often  POAs are rejected for reasons that boggle the mind.  In one instance I know of a bank rejecting a POA, because it was executed more than 6 months ago. A number of other larger, well-known banks have adopted polices requiring POAs be no more than 12 months old or they reject them.  Needless to say, this caused a lot of unnecessary turmoil.  In many instances a perfectly good POA is rejected, because of these types of these internal policies.

Yes, banks can and do get away with this – until very recently there was no state law requiring them to accept an otherwise perfectly validly POA. Some banks have even have gone so far as to require their own forms be signed – huh, how practical is this?  It doesn’t take a rocket scientist to understand how this completely defeats the entire purpose of having these forms prepared and in the hands of those appointed before they’re actually needed.  For anyone attempting to act on behalf of a principal in a time of need; especially when the principal is incapacitated or unavailable and the agent has important duties to perform this can be a nightmare. The result is often engaging legal counsel to fight the battle, creating a new POA (if the principal is available and competent) or as a last resort needing to go to probate court for a conservator to be appointed – more unnecessary expense and delay.

This new law is incredibly welcome news.  The law creates a presumption of validity for a person who accepts a POA if they believed in good faith it was validly executed. The law also limits the circumstances under which a POA can be rejected – for example, when the bank knows the POA was terminated or that it violates a state or federal law, perfectly legitimate reasons.  Also included in the new bill is a provision allowing the probate court to require the person who rejects a POA to accept it and can also award attorney’s fees and costs to the prevailing party – very welcome news!   (See sHB6774 for the full text of the bill – effective date October 15, 2015 was revised to be effective July 1, 2016).

If you want to avoid these costly, lengthy (often unnecessary) issues that frequently arise with some POA forms, we recommend carefully reviewing your current documents to make sure they still meet your needs with the assistance of a qualified attorney.  There are also some important new provisions in the new law that POAs should be updated to include. If you need assistance with this review, please contact me for a consultation.

(For readers of this blog unfamiliar with POAs – Powers of Attorney are created and used for a lot of different reasons, but the primary purpose is designating someone (called the agent) to legally make decisions or take actions on behalf of the principal.  The powers granted can be very limited or specific or they may be very broad.  In the estate planning context, powers of attorney are often durable, meaning they survive the incapacity of the principal.  Once incompetent, a person cannot enter into a new POA (or any contract for that matter.)

 

 

The LOI (Letter of Intent) is Binding – Really?

The Delaware Supreme Court thought so – even though most attorneys and business people, who regularly draft these documents know they’re always meant to be a non-binding expression of the major deal points to see if it makes sense to move forward with a deal and definitive, binding agreement. LOIs almost always state that they’re non-binding and courts in most jurisdictions seem to agree.

canstockphoto28784962

So what happened in the Delaware case SIGA Tech Inc. v PharmAthene, Inc. No 314, 2012, 67 A 3d 330 where the LOI was found binding is worth a close look. The parties in this case first entered into a non-binding licensing agreement term sheet (LATS) for a potential licensing deal, but PharmA insisted they explore a merger first. The parties then executed a Merger Agreement, which provided if the merger didn’t close by a certain date the parties would “negotiate in good faith with the intention of executing a definitive licensing agreement in accordance with the terms of the LATS”. The merger failed to close by the deadline. In a fortuitous turn of events for SIGA (but not so fortuitous in light of the high court’s later ruling), National Institutes of Health (NIH) agreed to provide significant funding for a new drug bumping the original valuation from $6mm to $40mm. SIGA refused to go forward with terms it earlier said were acceptable and PharmA, in turn, objected stating the terms were “radically different” from the LATS. SIGA then issued an ultimatum that PharmA negotiate “without any preconditions”. The lawsuit followed.

Even thought the LOI stated it was “non-binding” (most do to avoid potential claims and typically only state the major deal terms), the court found the language in the earlier License Agreement Term Sheet (LATS) incorporated into the merger agreement requiring negotiations “in good faith” compelling. The Delaware Supreme Court upheld the lower trial court’s decision that SIGA acted in bad faith. The Supreme Court went even further finding PharmA could recover “benefit of the bargain damages” (the value of the licensing agreement that would have been entered into but for bad faith) holding the parties were obligated to negotiate toward a license agreement on terms substantially similar if the merger wasn’t consummated. Great result for PharmA, not so much for SIGA.

The moral of the story? Draft carefully and include the most beneficial governing law provisions. LOIs have always been drafted and understood to be a non-binding first step to determine if parties want to move forward with a deal and definitive, binding agreement. What’s in the LOI and peripheral documents (here express good faith language or some other language a court may find binding and compelling enough to award damages) – must be carefully considered. Whether courts outside of Delaware may follow suit and what governing law provisions to include in the LOI must also be carefully considered.