Category Archives: Middle Market Business

Middle Market Business, Network Security, Risk Management

FBI Warns “Here you have” Worm Hits Agencies and Businesses

Here is an FBI warning that was sent out yesterday to all FBI agents and FBI Infragard members.  It is worth repeating verbatim.

From: HQ INFORMATION TECHNOLOGY BRANCH
Sent: Sat Sep 11 22:08:33 2010
Subject: Computer Security Alert

A new Computer “worm” attacked several federal agencies and Fortune 500 companies yesterday.  The malicious email messages contain the subject line “Here you have” or “Just For You” and contain a link to a seemingly legitimate PDF file. If users click on this link, they will be redirected to a malicious website that will prompt them to download and install a screensaver (.scr) file. If they agree to install this file, they will become infected with an email worm that will continue to propagate through their email contacts.

Even though we are protected, sometimes the adversaries change the email to look a little different so they can get past defenses.  The Bureau is asking all users to carefully watch your emails here at work and on your home machine.  To reduce the risk of compromising your FBI workstation, be alert for unsolicited e-mail messages and keep in mind the following traits common to malicious e-mail messages:

  • Subject matter related to recipient’s work, possibly containing actual U.S. Government information
  • A sense of urgency to convince the recipient to open an attachment or click a link within the message
  • Convincing content such as upcoming meeting agendas, reports, information on current events or policy issues
  • Seemingly-legitimate sender (government and commercial addresses, including @fbi.gov) using legitimate signature and contact information
  • Receiving an email with just a link
  • An attachment (typically a .pdf or .zip file) or link

Thank you for your assistance and vigilance in protecting the FBI’s networks.

Enterprise Security Operations Center (ESOC)

JEH-HQ

Law Firm, Middle Market Business

Location, Firm Size Key to Legal Billing Rates

Released on September 1, 2010, CT TyMetrix’s Real Rate Report, which is based on empirical data “gathered from $4.1 billion in invoicing generated by over 3,500 law firm and 90,000 individual billers over three years (2007-2009),” provides unique insight on the billing practices of law firms around the country.   This report demonstrates  that it may not necessarily be the skills set or experience of an attorney that drives his or her billable rate.  Given that the 92-page report costs $4,500, a cost-effective way to learn what’s in the report is to review the September issue of The American Lawyer

As detailed in the article, “legal bills increased at rates that exceeded inflation, in-house lawyers who spent more at a particular law firm were not getting any discounts, and partner status added nearly $100 on average to a lawyer’s rate regardless of experience.”  What was even more interesting was the report’s finding that 85% of lawyers charge clients different rates for the same work and the “location of the biller and the size of the biller’s firm – not the biller’s experience – are the variables that most influence how much a client will pay.” 

Although geographic location obviously impacts law firm and employee living expenses, clients may perceive no real justification for paying more qualified lawyers in mid-sized suburban firms less pay simply because of their firm size and location.   It also does not appear to make sense to charge $100 more an hour simply because of a change in ownership rights.   What if the associate was made partner largely on the basis of being a great rainmaker?   How does that justify being a higher-priced M&A lawyer?

When it comes to the business of law, if law firms are going to continue to tie their collective hitches to the billable hour, they need to do a better job of meshing their actual expenses with their hourly fees and communicating their results to clients.   If there is an expense associated with tapping into a large New York City law firm, i.e., higher rents, increased costs of hiring, etc., firms need to communicate those additional costs.   Although doing that might make it more difficult to later reduce fees by 30% when in-house counsel balks on a given bill, it will end up leading to more consistency and a better relationship with those who actually pay the bills. 

By blanketly adding additional dollars to a billable rate without spelling out exactly why the rates are at that level, law firms are missing a great marketing opportunity.    The more successful manufacturers routinely lay bare their component expenses in order to close large orders.   In other words, widgets should be no different from legal briefs when it comes to transparency of expense.    

Here are some other interesting findings from the report (as listed in the American Lawyer article):

Financial Reporting, Law Firm, Litigation Management, Middle Market Business, Risk Management

NJ Appellate Division Rules Shareholders Can Inspect Board Minutes

An August 17, 2010 New Jersey decision may be negative for businesses in New Jersey despite what on the surface is  a win for a large corporation.   In Cain v. Merck & Co., Inc., the New Jersey Appellate Division addressed whether the New Jersey Business Corporation Act entitles shareholders to inspect the minutes of the board of directors and the minutes of executive committees, and if so, the breadth of that right of inspection.  According to the court, resolution of these questions:  centers on the proper construction of N.J.S.A. 14A:5-28(4) of the Act. In pertinent part, that statute allows shareholders, upon proof of a “proper purpose,” to examine “the books and records of account, minutes, and record of shareholders of a corporation.” N.J.S.A. 14A:5-28(4).

In what appears to be a case of first impression in New Jersey, the Appellate Division concluded that the qualified right of inspection under the statute extends to the minutes of the board of directors and the executive committee – and not just to the minutes of the shareholder meeting.   The court, however, limited this right of inspection to only those portions of the board minutes that address their “proper purpose.”  In other words, shareholders are “not entitled to examine the minutes in order to explore unsubstantiated allegations of general mismanagement.”

It is not clear whether Merck will appeal given that it, in effect, won its alternative argument, namely that the review should be limited to discussions related to a study conducted by Merck rather than a broader review that on its face does not have such a  “proper purpose.”  According to a Merck spokesman, “we’re evaluating our next steps.” 

If left as binding authority, this decision may have huge ramifications for large and public businesses in New Jersey.   As it stands, the decision extends the reach of the statute – which appears on its face to be limited to shareholder meetings – to the much more deliberative board meetings of a corporation.  It gives litigants a new tool and may cause directors to be more restrained when providing advice given their decision-making process may now be opened up to a much greater extent.  Moreover, this obviously potentially increases the liability of directors and officers so there may be a potential increase in claims – with a resulting increase in D&O insurance premiums.   Although the lower court did recognize that the minutes should be redacted for privileged material, now that the door is open, future judges will have free reign to decide what is deemed “a proper purpose” or privileged material.   In other words, there is no guarantee a future judge won’t allow the fishing expedition rejected by the Appellate Division in this case.

Middle Market Business, Network Security, Privacy, Risk Management

Network World: Do You Need Network Security and Privacy Insurance?

Two recent articles have come up with differing viewpoints regarding the merits of buying network security and privacy (NSAP) insurance.  On the one hand, an article in Network World has taken the position that it is almost foolish not to have NSAP insurance given the potential damages, increasing threats and the inability to safeguard against all such threats.  The author reasons:  “Just because you have fire extinguishers and sprinklers in your business doesn’t mean you don’t also buy fire insurance – the potential risk is too high. It’s time many companies considered security insurance too.”

An article in the Monitor titled College Officials Wary of ‘Cyber Insurance’ for Private Data suggests that purchasing NSAP insurance should actually be avoided given it does nothing to solve the ultimate problem, namely safeguarding  data.    Specifically, representatives from the University of Texas-Pan American and South Texas College said they were confident in their information security systems and saw little value in NSAP policies — despite the fact “higher education institutions across the nation have purchased [NSAP insurance] to offset large expenses following a data breach.”  According to Bob Lim, UTPA vice president of information technology, “Rather than spending money at the back end, use your resources to prevent (risk).  There’s better use in working to fight intrusion than being scared of it.”

The thrust of UTPA’s argument runs something like this: 

We need to adequately protect sensitive data in order to safeguard our reputation.  If we sustain a breach, there is something greater at stake than just the cost of the breach – it’s the hit to our reputation, which is very difficult to monetize.  Accordingly, we are better served by spending our resources and money on prevention rather than on the backend for a solution that may not even properly cover us. 

Ironically, this is the very same argument that large financial institutions made years ago when they opted not to buy NSAP insurance.  They believed that their reputations were sacrosanct so they needed to avoid a breach at all costs – buying the insurance was evidence a breach was even possible.  If you asked around today, most of these institutions currently have NSAP insurance – with towers that well exceed $100 million.   Why the change in position?

There are three factors that caused large financial institutions to change their collective tunes.  First, because so many organizations have been hit with very public breaches, the reputational hit became less and less of a reputational concern.  After all, if everyone is being hit, the “before” is not as important as the “after”, i.e., how you treat your customers post-breach.  And, that is the second reason why the insurance option became more attractive.  NSAP insurance quickly funds and allocates resources after a breach.  Sort of like an experienced swat team entering the picture.   Financial institutions started to realize the benefits in having risk professionals assist in the post-breach aftermath.  Finally, the IT departments began to realize insurance was not an indictment on their capabilities but actually a way to fund the costs of a breach without touching their own IT budgets.  In other words, rather than being opponents of the coverage, CTOs and CIOs became champions of it when they saw the direct benefits in obtaining the coverage.  

All of this begs the question.  Are financial insitutions smarter or are the folks from UTPA?  When does NSAP insurance begin to make sense?   As with most questions related to the purchase of insurance, it depends on your risk appetite, exposures, controls, and ability to financially withstand an incident.   Taking such factors into consideration, it is clear that the answer will vary widely.  It is suggested that management at least start the process of determining whether NSAP insurance makes – especially since the options are getting better by the day.   Who knows.  Maybe UTPA will ultimately change its position as more and more breaches of colleges and universities are reported.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

Hospital Data Continues to be at Serious Risk with Third-Party Vendors

According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk.  And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain.  The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.

One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program.  Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts  actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data.  There are certainly enough incidents to justify the attention.  For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company.  It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.

Lost or stolen laptops used by the contractors of business associates litter the data breach landscape.  Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common.  The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest.  A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen.  Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted.  It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.

There are two basic risk management suggestions to be gleaned from these incidents.   Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet  subcontractors to ensure they also have proper security controls in place.   In fact, this is actually dictated by the recent statutory changes referenced above.  And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents.  Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches.   NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.

Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.

IT Consultants, Middle Market Business, Risk Management, Small Business

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.

Copyright Infringement, Intellectual Property, Middle Market Business, Risk Management, Small Business

Exposure to Software Copyright Claims

Claims arising out of internally-used software continue to be a significant retained IT risk factor.  When President Obama picked the Business Software Alliance’s General Counsel Neil MacBride for a senior Justice Department post, it was a clear message that we will see increased software compliance audits – and possible new penalties.  The increasing use of open source software is also leading to unanticipated software copyright exposures. In other words, the reasons continue to mount why users of desktop software should carefully monitor their use of software and maintain careful records of each license.

Financial Reporting, Intellectual Property, Middle Market Business

Business Method Patents Live on Another Day: Bilski Decided by SCOTUS

Today’s Bilski v. Kappos decision rejected having a Federal Circuit test for determining patentable subject matter as a “knock out” test for business methods.  If affirmed, this Machine-or-Transformation Test (if applied as the sole test) would have likely rejected all business method patent applications.  As it stands, the United States is the only country that allows for business method patents.  After today’s United States Supreme Court decision, that remains the case.

In today’s decision, the Court ruled that “business methods” can be patentable if they meet the requirements set forth in longstanding precedent notwithstanding the fact they do not “recite a particular machine or apparatus, nor transform any article into a different state or thing.”  Although the Court ruled that the Machine-or-Transformation Test remains as a helpful tool when resolving patentable subject matter questions, it should not be considered a “knock-out” test.

This is a huge win for financial institutions and software companies with strong patent portfolios — as well as those law firms who help build and protect those portfolios.

Litigation Management, Middle Market Business, Risk Management, Small Business

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.