How to prepare for California’s sweeping privacy law

In 2018, California signed into law the first state-level comprehensive privacy act, the California Consumer Privacy Act of 2018 (CCPA), which goes into effect Jan. 1, 2020. Due to the CCPA’s broad scope and reach beyond California, as well as its large fines and penalties for noncompliance, the law is influencing and setting a high bar for data protection practices nationwide. Since the CCPA was signed, several states have proposed or enacted similar legislation, turning privacy and cybersecurity into a patchwork of state-led experimentation.

“More states are developing privacy laws, which will make it difficult for companies to track and comply with every state’s privacy act, not to mention the privacy regimes in non-U.S. jurisdictions, such as Europe’s General Data Protection Regulation (GDPR),” says Justine Kasznica, shareholder at Babst Calland.

In the absence of a uniform approach to privacy and cybersecurity, businesses need to be aware of the state, federal and foreign laws being introduced and enacted — even if their operations are not yet affected.

Smart Business spoke with Kasznica about how California’s privacy law, and others, will impact companies.

How does California’s privacy act work?

The CCPA protects consumers who are residents of California, giving them rights to disclosure, access, deletion and control (opt-out and portability rights), as well as imposing a prohibition on antidiscrimination. It also addresses the data privacy rights of children under the ages of 13 and 16.

The CCPA is modeled on the GDPR, articulating similar consumer rights (even if terms differ) and imposing business obligations and enforcement mechanisms. While compliance with GDPR may facilitate CCPA compliance, the two privacy regimes deviate in their definitions of personal information/data, scope of the rights protected, affected organizations, and penalties and enforcement.

The CCPA applies to for-profit entities (and certain nonprofits) that do business in California and collect or direct the collection of personal information of consumers, if such entity:

  • Has total annual gross revenue in excess of $25 million a year.
  • Receives, sells or shares the personal information of 50,000 or more consumers, households or devices of California residents.
  • Derives 50 percent or more of its annual revenue from selling personal information of California residents.

With the rapidly changing privacy regulatory landscape, how should businesses react?

Companies need to evaluate how they operate and collect, store and process personal information. Many U.S. businesses will need to change their data privacy practices to comply with the CCPA, GDPR and other privacy laws. Even those companies that are not subject to a particular privacy law may be affected if they partner or do business with companies that need to comply with a law, and the obligations pass on by contract.

A pragmatic approach to privacy law compliance would be to:

  • Perform a data privacy assessment that captures what kind of personal information an organization collects, for what purpose it is collected and how the information is being used. Achieving consensus on the definition and categories of personal information/data is critical.
  • Understand which privacy laws and regulations apply or will apply. If you believe your organization is subject to the CCPA, reach out to experts in legal, risk and IT who can help ensure compliance.
  • Work with legal counsel to modernize or update your terms and conditions, privacy policies, cookie and other data collection policies.
  • Redesign and deploy new internal and user-facing processes, safeguards and tools to enable individuals to exercise their rights, as required. This may include new communication tools, notices, banners and opt-in or opt-out features, as well as data access, correction and deletion procedures. Be sure to plan ahead; budget time and resources for the changes.

Bottom line: Whether your organization falls within the scope of the CCPA or not, a wait-and-see approach is not a good strategy. Privacy laws are only going to become more important as the landscape evolves, and the GDPR and CCPA are just the beginning.

Insights Legal Affairs is brought to you by Babst Calland

The benefits to business owners of selling through an ESOP

A growing trend among business owners is selling their companies to an employee stock ownership plan (ESOP). Such an approach allows owners to cash out their equity interest in the business and, at the same time, stay actively involved with the company.

While a strategic buyer or a private equity fund may offer more money for a business, the opportunity for the owner to control the business and/or stay involved may be significantly curtailed, or not possible, after a sale to a third-party purchaser. Further, the culture of the business will likely be impacted by selling to an outside purchaser — there is no guarantee that current, long-standing employees will be offered positions with the acquiring purchaser after the transaction is completed.

ESOPs offer owners the option of a prolonged exit and the opportunity to maintain control of the company as it’s being transferred to employees. Additionally, there are certain unique estate and tax benefits available to owners that may make the ESOP approach a more desirable exit strategy.

Smart Business spoke with Patrick J. Egan, a partner at Brouse McDowell LPA, about the benefits to owners of selling their business to employees through an ESOP structure.

What do owners need to do to prepare to sell their company to employees?

First, owners should talk to their family, financial consultants and business advisers to determine what they want to accomplish through any possible sale of their company. They should ask questions regarding their exit strategy and business succession goals, whether and for how long they want to stay involved with the business, and how important it is to them to maintain the same culture and work environment with respect to the employees of the company.

It is also prudent to get legal advisers involved early in the process as they can help the owner consider their options and fully set forth the pros/cons of selling to an ESOP. If an ESOP is an attractive option, legal counsel can then marshal the professionals who will be needed to pursue the same.

For example, the business owner will likely need to engage an ESOP consultant who will conduct a feasibility study. The feasibility study will look at future projected cash flow and other factors to make sure the debt incurred by the ESOP (in buying the equity interest of the owner) can be paid off.

If an ESOP is feasible, then an ESOP trustee (typically a bank) will need to be retained on behalf of the ESOP. The ESOP trustee will then arrange for a business appraisal. It’s important to understand that, by law, ESOPs can only buy a company at its fair market value, which only a qualified appraiser can determine.

Why are ESOPs gaining popularity?

ESOPs are increasingly more prevalent in part because many owners like the idea of staying involved with their company, keeping control of the business while it’s transferred to employees. Further, ESOP-owned businesses are found to be more productive and efficient because employees directly benefit from the company’s success, which often means greater profitability.

How does an ESOP help owners realize the lifestyle they’re hoping to live post transaction?

Owners, after selling to an ESOP, often maintain their current salary and benefits. The ESOP trustee, along with the company’s board of directors, will have some say regarding pay and benefits, but as long as the executive’s compensation is reasonable, it should be fine.

There’s also flexibility that can be negotiated into the ESOP structure and how the owner is paid. Typically, a portion of the sales price is financed through a seller note. There is significant flexibility regarding the payment terms and duration of any such seller notes. The Department of Labor, which oversees these arrangements, is mainly concerned that the ESOP pays no more than fair market value for the interest purchased from the owner. Problems will arise if the appraisal overvalues the business.

Owners who want to stay involved in the business that they have grown and operated for many years while protecting its culture and employees should take the time to explore an ESOP.

Insights Legal Affairs is brought to you by Brouse McDowell LPA

Ensuring your business is protected when working in the cloud

Many businesses are moving their software applications to the cloud to take advantage of the increased accessibility and potential cost reductions. But Software as a Service (SaaS) agreements differ from license agreements for software housed on-site or otherwise managed by companies.

“Prior to signing SaaS agreements, businesses need to recognize and understand the issues unique to cloud-based software and address them in the context of their specific needs,” says Alexis Dillett Isztwan, a member at Semanoff Ormsby Greenberg & Torchia LLC.

Smart Business spoke with Isztwan about what to look for in SaaS/Cloud-based software agreements to ensure your business is protected.

What issues are unique in a SaaS/Cloud agreement?

Given that businesses access and use software applications remotely under a SaaS model, SaaS agreements introduce several unique components that require specific attention, including data security, performance service levels and credits, support services response times, business continuity and disaster recovery, and data security and protection. How a business addresses each of these issues in its SaaS agreement will depend on a number of factors, including how mission critical the software application is to the business, the function the software performs, and what, if any, types of data will be stored by the SaaS provider.

Of course, businesses will need to consider issues similar to those in a traditional license, such as who is permitted to use the cloud software, what are the permitted uses, whether the license is global or restricted to use in the United States or other jurisdictions, whether the rights are perpetual or revocable, and what happens at termination.

What about company data in a SaaS model?

Protection of company data, such as customer information, is another significant issue to consider since company data will likely reside at a remote location rather than onsite. Multiple privacy laws potentially apply to the treatment of a company’s data and may set certain minimum security or other requirements, particularly if the data includes non-public personal information. Businesses should have a full understanding of what data will be shared with or stored or accessible by the SaaS provider and where the provider stores the data. The answers to these questions must be consistent with businesses’ compliance obligations under privacy laws.

What performance metrics matter?

While the number and types of performance measures will vary based on the type of software application, a SaaS agreement should include specific performance service level metrics such as a minimum application availability commitment as well as potentially a maximum transaction processing time. The availability commitment provides that the software application will be available for use by the business at least a minimum percentage of each month. The maximum transaction time measures the time required for the application to receive, process and respond to requests made of the application. Businesses should review these service level metrics to ensure that they meet their needs. The SaaS provider should deliver to the company monthly reports of the actual performance of the software against these metrics. A business may be able to negotiate credits against future invoices for repeated or chronic failures of the provider to meet the contractual service levels.

Similarly, businesses should ensure that the SaaS agreement sets out specific support services requirements, such as response time minimums and error resolution obligations based on the severity of the problem.

SaaS agreements should include details of the provider’s business continuity plan and disaster recovery services. Businesses should fully understand whether and when the software will be available for use in a disaster, including what data will remain accessible. The SaaS agreement should specify the time period anticipated between a disaster event and restoration of subscribers’ use of the software, even if via a temporary environment. More robust disaster recovery services often come with a more robust price tag.

Insights Legal Affairs is brought to you by Semanoff Ormsby Greenberg & Torchia, LLC

The pitfalls of hiring intermediaries to find additional investment

When companies start running out of capital and executives are pulled in a million different directions, they often look to an outside party — a person who is well-connected but is not a licensed broker/dealer — to support the fundraising. The two parties may come to an arrangement where he or she will make introductions, help secure additional investment and only be paid a commission if the financing round successfully closes.

The problem is, this scenario is illegal under the rules of Securities and Exchange Commission (SEC). And the excuse — everyone else is doing it — will not work if you are caught, says Sara M. Antol, shareholder at Babst Calland.

“When it comes to broker-dealer territory, many times businesses do not realize how strict the current regulatory environment is, or how extreme the consequences can be when you violate the law,” she says.

Smart Business spoke with Antol and Christian A. Farmakis, shareholder and chairman of the board at Babst Calland, about fundraising compensation.

How common are these arrangements?

Raising money is difficult — it takes time and can be frustrating. Because fundraising is relationship-driven, it is easy to want to bring in a well-connected person in some capacity. And if a company is on a tight budget, it may seem logical to just pay someone if they have success. However, only registered broker-dealers are allowed to engage in this type of activity. And, it is illegal for persons who have not undergone the steps to be registered to act as brokers.

What is permissible?

A company can work with a finder as a consultant, hired under certain narrowly defined conditions. The company must pay a flat or monthly fee that might include helping the organization develop investment materials and making introductions, without negotiating or aiding in the investment’s completion. The compensation cannot be tied to fundraising success.

The other option is to work with a registered broker-dealer. Plenty of firms do this, but it will come at a cost.

How should companies handle these situations with their own employees?

Businesses cannot make someone’s employment or compensation contingent upon raising capital. For example, a CFO who gets equity or a bonus if he or she is successful at fundraising is not allowed. A salesperson paid on commission for finding investors is also not permitted.

Raising capital can be part of an employee’s duties, but it cannot be their sole job function, and they cannot get compensated directly for bringing in investors.

What can be the consequences of incorrectly using a finder or employee to raise capital?

Any companies — whether private or public — that improperly use a nonregistered finder or employee may have to rescind their offer to investors and refund the entire investment monies paid, even when those funds have already been spent.

If the company and its executives are sanctioned, they may not be allowed to do a private placement in the future, such as a Regulation D offering. The individuals named in a sanction may be labeled as “bad actors.” These bad boys, as they are often called, come under regulatory scrutiny for a number of years. There is also the potential of criminal penalties against the individual and the company. The reputational damage to a startup and founder can be severe, even if the violation was unintentional.

When fundraising, what else is important?

Many startups do not put together adequate disclosure documents that lay out all of the upside and downside of an investment. That is why, at least under the current regulatory landscape, it can be a good idea to only raise money from accredited investors. These investors have earned income exceeding $200,000 ($300,000 with a spouse), or a net worth of $1 million, excluding the value of the primary residence. The requirements must be met for the prior two years, with an expectation of the same for the current year.

Remember, fundraising rules are not black and white. The regulations and rules of the road have developed through court cases and on a case-by-case basis with the SEC, so check with your attorney before putting an intermediary between you and potential investors.

Insights Legal Affairs is brought to you by Babst Calland

The impact of a bad contract and how to get out of one

Far too often, companies overlook the allocation of risk and liability within the terms of a contract and instead focus on the economic terms. However, ignoring contract language could end up affecting the profitability and success of an agreement.

“A contract says you’ll pay me 20 cents per widget. On the surface, it looks like I’ll have a 10 percent margin. But in reality, there are hidden costs and considerable liability I’m taking on that will reduce my margin and expose me to serious financial risk,” says Patricia A. Gajda, partner, Corporate & Securities, at Brouse McDowell.

Smart Business spoke with Gajda about the importance of reviewing contracts and what, if anything, can be done to get out of a bad one.

What effect can bad terms in a contract have on businesses?

A bad contract is a cost to a business. Getting out of it often requires litigation. Any time a business ends up in litigation or in a lawsuit, it’s going to cost the business a lot of money. Not only is litigation itself an expense, it also diverts a company’s resources and infrastructure away from day-to-day responsibilities, which again adds to its cost.

Companies can get complacent with contracts, tending just to sign without reading, that is until a contract becomes a problem. Fortunately, much of the trouble that comes with contracts can be mitigated through preparation prior to execution of the agreement.

How can companies ensure they don’t get surprised by a contract’s terms?

Businesses should look for the clauses that dictate how a contract will be terminated in the event that it’s not working out as expected — the protections that exist for each party. For instance, when it’s a contract with a new customer, the deal might require an investment in equipment, labor and tools. Those investments come with the expectation that the contract will be seen through for a set period of time. But if the other party, because of the terms, can get out of the contract at any time with a 30-day notice, a return will never be realized on all that investment and those investment costs won’t be recouped.

Sometimes a company that’s locked into a contract becomes dissatisfied with the work that’s being done. It often doesn’t rise to the level of a material breach of the terms, but the company might feel as if it could get a better partner. Instead, the company is stuck with work that isn’t up to par with no way to get out of the agreement without a termination clause. Unless the contract requires that the company performs a certain way — that the product must conform to the expected design, specifications or sample provided — recourse is limited.

What is the importance of a termination clause?

If a contract is not working out, generally it’s not working out for either side, so a company could go to the other party and try to find a way to cancel the contract and come up with a plan to unwind the deal. If that’s not possible, then in the absence of contract terms, the only option is a lawsuit, which will likely drag out longer than any contract term. This is why the termination provision is absolutely critical. It should spell out how a contact is terminated, when it can be terminated and the responsibilities of each party in the event that it is terminated.

How can companies take a better approach to contracts?

It’s good to have a lawyer who knows the business and its contracting tolerances to review contracts with new parties. A lawyer doesn’t need to review every contract. But it’s a good idea to obtain the clauses from a lawyer that should be scrutinized and a sense of the tolerances for certain deal terms. The upfront costs of clarification and protection save money from disputes later.

Outside of legal help, take time to read the contract terms. If it contains language that isn’t clear, get clarification until it’s understood. Get rid of ambiguity and make sure everything that should be covered is covered. Once a contract is signed, that’s what governs the agreement until the term is over.

Insights Legal Affairs is brought to you by Brouse McDowell LPA

Non-competes gain popularity, but not always enforceability

Today’s American workforce is more mobile, sometimes switching jobs every few years. As a result, there are more non-competition, non-solicitation and non-disclosure agreements or covenants (commonly referred to as non-competes) being established and enforced than ever.

Once reserved almost exclusively for high-level executives with access to trade secrets, non-competes are commonplace today. Nearly 20 percent of American workers are currently bound by some type of non-compete agreement.

“Not only do these agreements cause uncertainty for an employee who has intentionally or unintentionally been separated from employment, but they also create challenges for those employees’ prospective new employers who typically don’t want to become involved in litigation with the old employer,” says David Cuppage, a principal at McCarthy, Lebit, Crystal & Liffman Co., LPA.

Smart Business spoke with Cuppage about the enforceability of employee non-compete agreements.

What distinguishes an enforceable from an unenforceable non-compete?

Although Ohio courts generally look upon such covenants with skepticism and have cautiously considered and scrutinized them, they can be enforced. A non-compete that imposes unreasonable restrictions upon an employee, however, will be enforced only to the extent necessary to protect an employer’s legitimate business interest. The covenant is reasonable if the restraint is ‘no greater than is required for the protection of the employer, does not impose undue hardship on the employee and is not injurious to the public.’

In non-compete cases, the future effects of the covenant must be considered. Ohio courts generally must determine whether real or long-term damage will result to the employer’s goodwill or to the employer’s future income because of the operation of the competing business. Paramount to enforcement of a non-compete is to prevent ‘unfair competition, not ordinary competition.’

What happens when enforcement of a non-compete prevents ordinary competition? 

There are cases in which a former employer, who has no legitimate basis to seek enforcement of a post-employment restrictive covenant, sends cease and desist letters to an employee or to the employee’s current employer.

There are also instances in which a former employer, who has failed to pay an employee the consideration called for in the agreement containing the covenant, sends a cease and desist letter to the employee or the employee’s current employer. In those cases, the questions become, is the employee without rights or remedies? And must the employee simply wait out the time period set forth in the covenant or engage in competition at the risk of being sued? Not necessarily.

There are several situations in which Ohio courts have ruled against non-compete agreements. One example is when an employer has ceased its business activity in a particular field and no longer has a legitimate interest in competing in that field. Another example is when an employer has failed to pay consideration called for in an employment agreement. Other situations may also cause the court to rule in the employee’s favor.

What happens if the court rules that the non-compete is unfair and unenforceable?

In these types of cases, an employee may decide to go on the offense and seek declaratory and injunctive relief from a court to prevent the former employer from enforcing or attempting to enforce a non-compete.

While irreparable harm must be demonstrated by the employee, courts have found that injury to an employee’s reputation, active opposition to an employee’s attempts at finding gainful employment, lost employment opportunities and the need for a severed employee to regain industry stature within a short period of time may constitute irreparable injury.

This could then justify the issuance of a temporary restraining order and/or preliminary injunctive relief that prevents the enforcement or attempted enforcement of an invalid post-employment restrictive covenant.

Insights Legal Affairs is brought to you by McCarthy, Lebit, Crystal & Liffman

‘Borrowing’ from the government? Or ‘theft’ of government funds?

Trust fund taxes are taxes collected and paid by a third party — for example, money withheld from employees by employers to pay state and federal employment taxes or sales taxes collected by retailers.

“Employers and retailers, in these instances, are acting as trustees,” says Terry W. Vincent, a partner at Brouse McDowell. “When a company fails to remit those taxes, not only is the company at risk for penalties, the person or persons at the company responsible for making the payments is subject to personal liability because the trustee concept creates liability beyond a partnership or other business arrangement.”

Identifying businesses that have neglected to pay taxes has become much easier, largely because of technology, so state and federal governments can quickly identify who hasn’t paid.

“Now, because it’s so easy to determine who hasn’t paid, state and federal representatives will show up to ask a business questions. If the business is evasive, an investigation will be launched to see if the failure is criminal,” says Shelby L. Ranier, an attorney at Brouse McDowell.

Smart Business spoke with Vincent and Ranier about trust fund taxes and how failure to pay affects delinquent companies.

Why might a business fail to remit taxes it has already collected?

A business will usually fail to remit trust fund taxes because it has spent the money on another debt. It withholds the necessary tax amounts but ‘borrows’ from those withholdings to pay, say, outstanding vendor invoices or other operational expenses, and it snowballs from there.
Failure to remit taxes can happen because a business lacks internal controls, but sometimes it’s a result of simple, and often innocent, disorganization.

What are the consequences for failure to remit taxes?

Depending on the amounts and the reasons for nonpayment, there could be criminal penalties and even jail time for the offender — any person directly responsible for making the tax payment. There is a test to determine who that person would be. Typically, if the company representative is authorized to pay — is someone approved to sign checks on behalf of a business — that person could be held personally liable when there’s not remittance.

State penalties for nonpayment differ from federal penalties. Failure to pay federal taxes could result in up to five years in prison. However, federal criminal penalties are typically imposed when something else is done in addition to not paying the taxes — falsifying a statement, for example.

States are quicker to pull the trigger, and their penalties are as high as six months in jail and restitution. Some states are more inclined to pursue these crimes than others.

However, the tax-paying company can enter into a payment plan to pay off unpaid taxes. Some states have voluntary disclosure programs that can garner the offending company either reduced penalties and interest or give a shorter look-back period. But if the state sends the company a notice regarding failure to pay, then the company can no longer participate in voluntary disclosure programs.

Who should business owners turn to if they are challenged by the government for failing to properly remit taxes it has collected?

It’s best to consult with an attorney who has experience dealing with tax authorities. While an accountant or financial adviser can start with a review of the books and records to find where the missteps occurred and how much tax should have been reported, there is no such thing as accountant-client privilege in the criminal context. That’s why it’s best to engage a lawyer first and ask the lawyer to hire the accountant. Called a Kovel arrangement, this extends the attorney-client privilege to cover the relationship with the accountant, who, in this relationship, works for the attorney.

States, on the whole, are getting more aggressive in their pursuit of these taxes — Ohio among them. Pursuit of these failures to remit due taxes is expected to increase as much as 10-fold, a trend that’s already starting to show.

Businesses that are struggling may see trust fund taxes as a quick fix to catch up in other areas. But it tends to snowball quickly, get out of hand and lead to often-devastating consequences.

Insights Legal Affairs is brought to you by Brouse McDowell

Courts are shifting the cybersecurity onus toward companies

In early data breach and cybersecurity litigation, courts took the perspective that cybercriminals were bad-acting third parties and businesses should not be held responsible in negligence for economic losses. That’s changing, however.

“Courts, in general, are looking for ways to turn to companies that are the custodians of the data, versus the individuals who traditionally have borne the uncertain burden of potential future identity theft if their data is stolen,” says Molly Meacham, shareholder at Babst Calland.

Smart Business spoke with Meacham about data breach litigation trends.

What are examples of courts shifting their approaches to data breach litigation?

In Dittman v. UPMC, the Pennsylvania Supreme Court broke new ground, finding that companies have an affirmative duty of care to protect confidential personal data that they have collected. The court viewed the actions of cybercriminals as a foreseeable risk that’s not a shield from liability. The court also did not let UPMC point to the economic loss doctrine, which previously held that if the loss is only financial, it cannot be recovered under a negligence theory.

The Dittman decision drew nationwide attention, because litigants in other states will ask their courts to adopt or reject it.

In addition, courts are looking at data breach damages. Several federal judges rejected data breach class action settlements to demand a larger or simpler recovery for the individuals, including higher caps per plaintiff, larger pools of funds and/or easier hurdles toward getting those funds.

Courts have also pushed back against the threshold issue of whether plaintiffs have to show actual damages to participate in a class action, or whether the risk of future damage is sufficient. For example, Jeep owners are pursuing class claims of diminution of value, following a well-publicized white-hat hacking incident. The manufacturer fixed the vulnerability and no vehicles were maliciously hacked, but the suit has been permitted to proceed on the theory that the cybersecurity risk resulted in damages.

How should companies react?

First, evaluate what personal information the company collects — is it from employees, or does it include consumer information? Then, how does the business use and store the data? Who has access? What security measures are in place? Some businesses collect data through their products, i.e. sensors or the Internet of Things. This is somewhat unsettled law, but if a device can access personal information, how is that data collected, transmitted, stored and protected?

Courts tend to look at how the company fits into the industry standard for the size and type of a business, as well as the type of information. Large companies, with the resources to do more, are expected to meet a higher, more sophisticated standard.

The best way to defend against a lawsuit is to show that the company took reasonable steps to stay abreast of technological developments, and that it is in line with its peer companies with regard to cybersecurity and data privacy.

What are other risks to be aware of?

Targeted social engineering — a skillfully spoofed email, call or letter to someone in corporate or finance — is increasing. Beyond providing education about social engineering techniques, executives should examine their insurance policies to see what is covered and what exclusions may apply. The language may exclude coverage when an employee unintentionally (but voluntarily) assisted a criminal in breaching the company’s defenses.

Businesses also need to think about their contracts’ indemnity provisions, and who bears the risk in a cybersecurity incident or data breach. A company needs to accurately project a vendor’s ability to contribute after a breach or line up insurance to bridge the gap. In a cybersecurity incident where both companies are jointly liable, a court may turn to the larger, financially stable company to make up the shortfall if the smaller company is insolvent.

Bottom line, knowledge is critical. Do executives understand the exposure? Is the business keeping up with industry standards and documenting its risk management to show compliance with its duty of reasonable care? Are executives reading their contracts and insurance policies? The choices businesses make today have long-term impacts, so the sooner a company addresses these issues, the better.

Insights Legal Affairs is brought to you by Babst Calland

How scammers use phishing attacks to steal, exploit company data

Many people spend most of their day in front of a computer or looking at their smartphones, accessing personal or business email. Scammers exploit this through phishing attacks — emails the recipient believes comes from a valid/trusted source that asks them to open a link or an attachment, or go to a website and enter personal information.

“In every case, the scammers prey on people’s good nature, their fears, or anything that will cause them to essentially grab the apple that scammers are dangling in front of them,” says Robert R. Kracht, a principal at McCarthy, Lebit, Crystal & Liffman Co., LPA.

Smart Business spoke with Kracht about phishing attacks — how they’re perpetrated, what legal recourse companies have to recoup damages and how to mitigate their success.

What is a phishing attack?

Phishing attacks tend to fall within three categories, ranging from low-level of sophistication to very sophisticated scams. 

In one approach, a spoof email — one that looks legit but is fraudulent — is sent with the intent of getting the recipient to go to a website and enter personal data that the scammer can then use to gain access to other personal or business accounts.

In a second approach, a scammer sends someone a check and asks them to deposit it into their personal or business account. The recipient is told to take a transaction fee for themselves and then wire the balance of the funds to the scammer.

The check, however valid-looking, is worthless. The scammer is hoping that the recipient will deposit the check and remit the balance via wire to the scammer before waiting for the check to clear their bank.  

In another approach, scammers enter into a person’s home or company network by getting the recipient to open an email attachment. Once in, scammers can search and obtain personal and financial data that they can then sell or use to withdraw funds or buy goods or services. 

How can organizations recover losses incurred from a successful attack?

Attacks are commonly perpetrated by persons outside of the United States ,where their identities and location are difficult or impossible to trace. Even if the transaction can be traced back to the source, if the theft was accomplished by wiring funds to banks outside the U.S., the scammers can avoid any clawback attempts by initiating further wire transfers to multiple banks in other countries.

Speed in detection and quick notification of the FBI may be the best means of tracing back to the source. 

When a wire transfer between two companies is initiated because of a phishing attack, are there legal damages that either company can pursue against one another?

Yes. If a phishing attack causes damages in connection with a transaction between two or more companies, the party or parties that sustain losses as a result of that event can seek recourse from any source available.

That can include other parties to the transaction, their own business insurance policies, any outside network consultants that installed or maintain the company network, and, of course, the scammer(s). In Ohio, the party that is in the better position to prevent the loss will bear the loss.

In the matters that I have been involved in, I am not aware that any of the affected companies placed blame on any officer or employee of the company. In the end, the employees are just victims of very elaborate schemes that are designed to deceive. 

How can an organization insulate itself against successful phishing attacks? 

Educate all employees so that they know how to recognize a phishing attempt. Limit the number of people who can authorize transactions via company credit cards, or who can authorize the issuance of payments by wire. Also, require confirmation other than internal emails that the person who requested a wire transfer made the request.

Consider the retention of cybersecurity companies that will install software to monitor networks for cybersecurity threats. Companies also should review their existing commercial insurance to see if they have cybersecurity coverage, which could help them recover some or all of the damages incurred if they’re the victim of a breach.

Insights Legal Affairs is brought to you by McCarthy, Lebit, Crystal & Liffman

What to look for in a cybersecurity insurance policy

Generally, cybersecurity insurance mitigates the consequences and liabilities incurred due to a data breach or hacking that makes the policyholder’s computer system unavailable in some way, and sometimes it covers other ways computers are used to inflict damages on a person or entity, such as phishing scams. However, there is no industry-standard policy.

“The market is so varied with many entrants and so little formalization that it’s near-impossible to point to one thing and say, ‘That’s what cybersecurity insurance covers,’” says Lucas M. Blower, a partner in the Insurance Recovery Practice Group at Brouse McDowell, LPA.

Smart Business spoke with Blower about how to ensure cybersecurity insurance coverage protects an organization from critical cyber risks.

What should organizations understand about cybersecurity insurance coverage?

Buying a cybersecurity insurance policy not only helps on the back end in terms of paying for recovery from a data breach, but also on the front end because it helps the policy-holding organization become self-conscious about the procedures it needs to implement in order to avoid the problems from the outset. As organizations increasingly buy cybersecurity insurance, it’s having an overall positive effect because, as part of buying cyber insurance, organizations tend to tighten up their data handling protocols.

Certainly, the best way for organizations to protect themselves is to not have a data breach in the first place. However, sometimes insurance companies will, if an organization is being blasé about its data security, try to use that failure as the basis to deny a claim.

How or where do the obligations of an organization to protect itself against cyberattacks overlap with cybersecurity insurance coverage?

Insurance companies have not had a lot of opportunities to interpret some of the conditions and exclusions in their cybersecurity policies. So, for example, some policies will take away some of the coverage policy owners believe they’re purchasing through exclusions for failure to maintain cybersecurity procedures that were disclosed as part of the application process. Insurance companies have tried to use that failure to deny coverage where human error resulted in a data breach. That’s typically a big shock to the policy- holder because the reason insurance is purchased is because sometimes protocols fail, usually because of human error.

Organizations need to scrutinize cybersecurity insurance policies for those lurking exclusions that the insurance companies will try to use to nullify the coverage. That can be difficult because there is no uniformity in the available products, so it’s a challenge for organizations to compare and contrast their options and ensure they’re covered for what they believe a cybersecurity policy should cover. In any event, though, effective coverage counsel can assist in pushing back against insurers who try to avoid their obligations based on opaque exclusions in their policies.

How can organizations determine the best cybersecurity insurance policy for their needs?

A cornerstone component organizations should look for in any cybersecurity policy is coverage for the cost to defend lawsuits that result from a data breach. The policy should also cover the cost of monitoring the credit of those affected after a data breach, as well as the costs of responding to the data breach, such as retrieving the data and plugging holes. If those elements are not a part of a policy, don’t buy it.

Organizations should consult a professional when buying cybersecurity insurance. Have them diagnose and explain how each policy available in the market differs. It’s not like buying commercial general liability policies, which are pretty uniform in their coverages. Organizations should get an independent eye to review those policies, whether it’s an in-house risk professional, a trusted broker, or outside insurance coverage legal counsel.

With cybersecurity policies, make no assumptions. Courts, when hearing a challenge to a policy provision, will expect that the company has read the policy — ignorance and assumptions will not be an acceptable defense.

Insights Legal Affairs is brought to you by Brouse McDowell, LPA