Category Archives: Litigation Management

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

CLT: Law Firms Resort to Suing Their Clients to Collect Fees

According to an article in the Connecticut Law Tribune, during the past several years there has been an uptick in the instances of law firms suing to recover their fees.  O’Connell, Flaherty & Attmore based in Hartford, Connecticcut, has been suing clients since 2008, and the firm “has 29 pending cases seeking about $523,000 in unpaid fees.”   The Hartford office of Bingham McCutchen, “is seeking $764,000 in fees from former client Richard D. Cohen of Capital Properties.”   And, Pepe & Hazard, now part of McElroy, Deutsch, Mulvaney & Carpenter, filed three collections lawsuits in the past two years –  which is one more than it filed in the past ten years.    

As recognized in the article, some of the largest law firms nationwide have been filing collection actions during the past few months, including Debevoise & Plimpton, McDermott Will & Emery, and Williams & Connolly. And, earlier this year, a jury awarded Drinker Biddle & Reath $1.8 million in a fee dispute case.

This agressive collection strategy has been criticized by some.  According to Bill Jawitz, a law firm consultant in Milford, Connecticut, more law firms are asking Jawitz about the strategy of filing lawsuits against clients.  He is quoted in the article as saying he “strongly” advises against it given such suits can lead to bad publicity for a firm and often invites malpractice counterclaims.  As well, he says, “It sucks up time and money to fight these battles.  It’s a sign of bad financial management.” 

Although it is true that law firms have traditionally been hesitant to file a claim against clients for fear of being hit with a counterclaim sounding in malpractice, the article’s author points out that a check of Connecticut court records “revealed no pending malpractice claims filed by clients sued over past-due bills.”   More than likely at least a few such counterclaims exist and the author merely missed them.  On the other hand, plaintiff’s burden in proving a malpractice claim is not slight.   A plaintiff often needs to prove “a case within a case” in order to recover. 

And, getting plaintiff’s counsel to take on a malpractice counterclaim may not be as easy as it once was given the costs involved in battling  a law firm hungry for its fees and seeking to protect its reputation.   In other words, maybe the counterclaims are really not as frequent as they once were.  In any event, professional liability insurers should be pursuaded not to penalize those law firms who fight to recover fees.

It is clear that malpractice insurers currently take notice of fee disputes.  Indeed, a common question found in most any professional liability application is:  “How many suits for collection of fees have been filed by the Applicant Firm during the past 2 years?”  The obvious assumption being that such suits bring with them malpractice claims.  And, whether frivolous or not, such suits must be defended. 

There are strategies that exist which completely obviate the need to file suit against a client.  These strategies apply risk management techniques usually undertaken by manufacturers and not professional service firms.   Moreover, not only would they help on the collection backend, they would help on the front-end when a decision is made to take on the client in the first instance.   As a final added benefit, these strategies will also serve to lower professional liability insurance rates.

NJ Supreme Court Sides with Employee on Email Privacy Case

On March 30, 2010, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010).  This hotly anticipated ruling was a clear win for employee privacy rights.  It was also clearly the right decision given the facts.  

In its decision, the Court affirmed the Appellate Court’s ruling that an employer was precluded from accessing  attorney-client privileged email.  The email was deemed protected by way of the attorney-client privilege even though the employee accessed the email during work hours using an employer’s laptop.  The key factor in creating a reasonable expectation of  privacy was the plaintiff’s use of her personal Yahoo! webmail service to send and receive the email.   In other words, although the laptop computer used was employer property, the information remained “employee property” given it was password protected via the Yahoo! website.   Moreover, she never stored the password on the company laptop.   The Appellate Divison and Supreme Court were likely also swayed by the fact the attorney-client privileged email in question were used by the employer’s counsel in a pending litigation involving plaintiff.

The Court went into detail regarding how the employer’s Electronic Communications Policy (which was part of its employee handbook) did not provide notice regarding any lack of privacy in a webmail service.  Specifically, the Court ruled:

It is not clear from that language whether the use of personal, password-protected, web-based e-mail accounts via company equipment is covered. The Policy uses general language to refer to its “media systems and services” but does not define those terms. Elsewhere, the Policy prohibits certain uses of “the e-mail system,” which appears to be a reference to company e-mail accounts. The Policy does not address personal accounts at all. In other words, employees do not have express notice that messages sent or received on a personal, web-based e-mail account are subject to monitoring if company equipment is used to access the account.

 The Policy also does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved and read by Loving Care.

 The Policy goes on to declare that e-mails “are not to be considered private or personal to any individual employee.” In the very next point, the Policy acknowledges that “[o]ccasional personal use [of e-mail] is permitted.” As written, the Policy creates ambiguity about whether personal e-mail use is company or private property.

Id. at 13 – 14.

A more carefully crafted employee manual would have not likely led to a different result.  It appears as if the Court  provides a roadmap for employers but one in which attorney client communications would always remain sacrosanct.   For example, although many employee manuals already outright preclude employees from accessing webmail via company computers, such a blanket prohibition would likely not be enough going forward given this ruling.  See Id. at 28 – 29 (“[E]mployers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.  Because of the important public policy concerns underlying the attorney – client privilege, even a more clearly written company manual  – that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee’s attorney client communications, if accessed on a personal, password protected e-mail account using the company’s computer system – would not be enforceable.”).

It appears as if the correct approach for employers looking to access certain employee email exchanged via a webmail service is to  provide even more specific guidance regarding what may or may not be done by the employee.   For example, it may help to provide an explicit warning that all email exchanged via a webmail service is subject to the general email policy of the firm.  Banning pornography and “hate speech” email would clearly not be a problem under this ruling.  When it comes to attorney-client material, a warning regarding the insecure nature of such  communication may be warranted as well as a reminder that non-business communications are deemed inappropriate and can possibly lead to termination.  Nothing in the ruling would preclude using non-business activity against an employee.  As well, transmitting proprietary company material with insecure, un-archived, and non-sanctioned forms of communication such as webmail services would likely still be considered against corporate policy under this ruling.  Finally, when drafting a policy, it should be made clear that the company cannot and will not guarantee the confidentiality of any communications made using a webmail service. 

Given many employees blur personal and company time, it is often the case that employees are checking their personal email on company time.  Indeed, the advent of webmail services from Yahoo!, Google, Microsoft and others makes it an almost a trivial task to check personal email on company PCs, laptops, and smart phones.  Given the Stengart decision, New Jersey employers should evaluate their current procedures regarding use of webmail services with an understanding that attorney-client email may be strictly off limits to corporate eyes.

New Ponemon Survey Shows 77% of UK Firms Sustained a Data Breach

As reported in Information Week, “[s]eventy-seven percent of C-level executives in a 115-person survey conducted in the U.K. say their organization has experienced a data breach at some point and all of them report attacks targeting corporate data in the past 12 months.”   This Ponemon Institute survey was sponsored by IBM. 

Interestingly, 75% of the survey’s respondents viewed the CIO as being responsible for data protection while 82% of respondents would not fire the CIO if he or she failed to stop a data breach.  This is a not so subtle recognition that companies are unable to completely avoid a cyber attack so firing for an inevitable outcome would be unfair.  This mature perspective provides yet another reason to evaluate network security and privacy insurance.

New MA Data Protection Law Impacts Companies Around the Country

As of March 1, 2010, any company, organization, association or entity that has any sensitive personal information of a Massachusetts resident must now comply with a new law – Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17.00).  This new law impacts an entity even if it is not located in or even does business in Massachusetts – all that is necessary to trigger a compliance obligation is that the firm maintains personal information on Massachusetts residents, including information on any customers and employees.  

Taking a page from the FTC’s Red Flags regulations, the new law requires that companies implement a written security plan to protect protected personal information.  An employee needs to oversee this security program, it must be regularly monitored, and the efficiency of the program needs to be reviewed at least annually or at any time when there’s a major change in a company’s business practices. 

Going further than the FTC and not wanting to disappoint given its name, Massachusetts has actually set forth specific data security standards in its new law.  For example, all records containing personal data that are transmitted wirelessly or sent via public networks need to be encrypted.  As well, sensitive personal data stored on laptops and other portable devices also must be encrypted. Companies will need to restrict access to records and files that contain personal information to only those employees who need such information to do their jobs.

Third party vendors who contract with businesses after March 1, 2010 are subject to the new law and also need to comply.  Those companies who contracted prior to March 1, 2010 are given two additional years to comply.  It remains to be seen whether other states will follow suit with Massachusetts but given the reach of the statute, it may not even matter.   Between the FTC and MA, good common sense may dictate that your firm implement a written ID theft prevention program sooner rather than later.

Xinhua: China Cyber Attacks Against Google Pure Fabrication

In its sharpest defense to date, the Chinese Government – by way of its state-controlled media outlet, Zinhua News Agency – argues that it does not make sense to blame the recent corporate hacking incidents on the Chinese Government.   According to the February 24, 2010 People’s Daily article,  “China’s attitude toward cyber attacks has been unequivocal and has adopted laws against such crimes, as China is one of the countries that bear the brunt of cyber attacks. It is way far-fetched to say that cyber attacks — even if they were to originate from China or were to be carried out by Chinese citizens — would have the support of the Chinese government.”  The authors point out the IP addresses are not necessarily accurate for determining the initial location of a hacking incident given those traced computers can be hijacked from elsewhere.  The article closes by saying:  “Cyber crimes could cause immense losses for individuals, enterprises and nation-states. Effective supervision and closer international cooperation are ways to boost cyber security.  Finger pointing is not.”    Although it remains to be seen whether the Chinese Government was behind this latest round of corporate exploits, keeping an open perpective is never a bad idea.

FTC Points Out P2P Risk

In a February 22, 2010 press release, the Federal Trade Commission states that it notified “almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud.” 

The agency also released new educational materials that recommend ways to manage P2P risk.  Interestingly, the FTC does not suggest that all P2P file sharing software be banned from a business.  The recommendation is to evaluate what sensitive data is being used compared with the benefits of using such software.  This recommendation fails to appreciate the fact that all P2P software used for a business purpose can likely be replaced with secure search software that does not require opening up your folders to strangers.  Moreover, there is no general business purpose for using LimeWire or similar software given such tools are focused primarily on locating free music and video files.   In fact, that is why some universities have banned the use of P2P file sharing software for years now.  The reasonable assumption is that if music and video does not fit within a scholastic environment, it does not in a business environment.

Several years ago, Information Week did an excellent expose of the P2P risk faced by many businesses.  This was a wake up call that was obviously not heeded given the FTC release.  In a similar vein, security specialists were warning years ago that there were hundreds of thousands of websites infected with SQL injection exploits.  To this day, SQL injection exploits remain one of the most popular tools for hackers to gain database access.   Unfortunately, given the “fix” for such an exploit requires some basic coding, it is beyond the expertise or concern of most businesses and individuals.

OCR Website Posts List of Breaches As Required Under HITECH Act

On February 22, 2010, as required by section 13402(e)(4) of the HITECH Act, the Office of Civil Rights (OCR) website posted a list of the covered entities that have reported breaches of unsecured protected health information affecting more than 500 individuals.  By posting this information on the OCR website, OCR has met its HITECH Act obligation, which required Health and Human Services (HHS) make this information public by posting it on an HHS website.    The 36 impacted organizations are located around the country and run the gamut from the very small to one of the largest health plans in the country.

Although the majority of the breaches posted involved lost media and laptops, there were instances involving paper records, including several instances of mailings that included protected information.    As well, there were a number of instances of hacking with a few involving compromises of business associates. 

It remains to be seen whether this public display will shame companies into not losing laptops or being the victim of a theft.  What is clear, however, is that having your name listed on a public site will open you up to more potential litigation expense.

Is the Bar Against Non-Lawyer Equity Owners Outdated?

Under Model Rule of Professional Conduct 5.4, “[a] lawyer or law firm shall not share legal fees with a nonlawyer” except under very limited circumstances.  Accordingly, it has long been the rule that only lawyers could manage or have an ownership interest in a law firm.   That is why, for example, no law firm (at least none in this country) has ever gone public.  Ostensibly, this rule prevents direct conflicts of interest in that shareholder interests are never allowed to trump client loyalty.  This rule mimics the rule that bars the corporate practice of medicine.  On the other hand, accounting firms generally only need a majority of their owners to be licensed CPAs.

If non-lawyers held an equity interest in a law firm, the Appearance of Impropriety Rulewould also apply whenever a law firm’s interests appeared to benefit equity owners’ interests over that of a client.  For example, a very conservative defense strategy might prolong a lawsuit and give the appearance that the strategy was enriching shareholders to the detriment of a client.  Aggressive collection strategies might also appear to create a direct conflict between shareholders and delinquent clients.  Although N.J. R. 1.7:210 is focused on barring dual representations, e.g., representing both sides in litigation, it can easily be envisioned that this rule might also apply to bar representations when outside shareholder interests were in direct conflict with a client. 

Are these ethical prohibitions fair or sound? 

Other than via the traditional “bill, manage, or produce” buckets, lawyers have few options when it comes to generating significant wealth.  For example, the potential upside for a successful litigation billed on an hourly basis is only the promise of future business.  Unlike their clients or even their investment banker peers, lawyers are not issued stock options, cannot invest in deals, and never reap the rewards of a seven figure annual bonus based on the upside of a corporate transaction.  This leads to an obvious disadvantage when it comes to law firms competing with hedge funds, investment banks, consulting firms, or high-growth companies.  It is clearly unfair that law firms experiencing double-digit growth are unable to reward those who contribute to such growth with some equity interest that can be sold to non-lawyers.  As for the soundness of such ethical prohibitions, they primarily make sense if one adopts a paternalistic approach – one that  assumes lawyers will not recognize the right ethical course of action unless given a blueprint.  Otherwise, the prohibition makes little sense.

In addition to questions regarding the soundness or fairness of this ethical framework, a bar against law firm shareholders puts US law firms at a disadvantage with global law firms who do have non-lawyer shareholders.  An article in the Wisconsin Law Review argues exactly that point:  “The very fact that outside equity is now available to lawyers in other jurisdictions, especially the United Kingdom, could create an influx of external competitive pressures on the American legal-services industry.”  It remains to be seen whether global competition from law firms who have non-lawyer equity owners will ever be sufficiently strong to warrant removal of the ethical bar.  More to the point, given the public’s general distrust of lawyers, it is doubtful these ethical barriers will be removed anytime soon.   The most we can hope for is improved creativity when it comes to billing and an increase in hybrid law firm practices.

Data Breach Expenses and BCBS of TN

According to a news report, BlueCross BlueShield of Tennessee admitted on January 25th that it has spent more than $7 million to address an October theft of 57 computer hard drives.   The company said that it may have to spend millions more to assess what was on the missing computer records and to provide identity protection for affected customers.   According to its website, the company has notified 220,000 BCBS customers in Tennessee and other states where persons covered by BCBS of TN plans may work.  Further, determining what was on the stolen hard drives as required by the HITECH Act and state notification requirements has required the hiring of more than 700 contract and BlueCross workers.

If we are to accept the Ponemon Institute’s most recent Cost of Breach report, this breach will ultimately cost BCBS of TN over $44 million.   Given that 67% of the $204 per record cost consists of lost customers and other indirect costs, it looks like BCBS of TN has another $7.8 million to go on its notification, credit monitoring, forensics and other direct expenses.

This breach is a stark reminder that even though the lawsuits are being won by breach defendants, costs incurred prior to the first lawsuit can be very significant.  Having a post-breach gameplan in place to address these costs has certainly become absolutely crucial during the past few years.   After all, nothing hurts a bottom line as quickly as a significant unfunded expense.

Update:  March 14, 2012
BCBS of TN agrees to pay HHS $1.5 million under the HITECH Act’s breach notification settlement.  When coupled with the $17 million in first-party expenses already paid, this incident remains a stark reminder as to the benefits of a network security and privacy insurance policy.