Category Archives: Middle Market Business

Middle Market Business, Network Security, Privacy, Risk Management

Network World: Do You Need Network Security and Privacy Insurance?

Two recent articles have come up with differing viewpoints regarding the merits of buying network security and privacy (NSAP) insurance.  On the one hand, an article in Network World has taken the position that it is almost foolish not to have NSAP insurance given the potential damages, increasing threats and the inability to safeguard against all such threats.  The author reasons:  “Just because you have fire extinguishers and sprinklers in your business doesn’t mean you don’t also buy fire insurance – the potential risk is too high. It’s time many companies considered security insurance too.”

An article in the Monitor titled College Officials Wary of ‘Cyber Insurance’ for Private Data suggests that purchasing NSAP insurance should actually be avoided given it does nothing to solve the ultimate problem, namely safeguarding  data.    Specifically, representatives from the University of Texas-Pan American and South Texas College said they were confident in their information security systems and saw little value in NSAP policies — despite the fact “higher education institutions across the nation have purchased [NSAP insurance] to offset large expenses following a data breach.”  According to Bob Lim, UTPA vice president of information technology, “Rather than spending money at the back end, use your resources to prevent (risk).  There’s better use in working to fight intrusion than being scared of it.”

The thrust of UTPA’s argument runs something like this: 

We need to adequately protect sensitive data in order to safeguard our reputation.  If we sustain a breach, there is something greater at stake than just the cost of the breach – it’s the hit to our reputation, which is very difficult to monetize.  Accordingly, we are better served by spending our resources and money on prevention rather than on the backend for a solution that may not even properly cover us. 

Ironically, this is the very same argument that large financial institutions made years ago when they opted not to buy NSAP insurance.  They believed that their reputations were sacrosanct so they needed to avoid a breach at all costs – buying the insurance was evidence a breach was even possible.  If you asked around today, most of these institutions currently have NSAP insurance – with towers that well exceed $100 million.   Why the change in position?

There are three factors that caused large financial institutions to change their collective tunes.  First, because so many organizations have been hit with very public breaches, the reputational hit became less and less of a reputational concern.  After all, if everyone is being hit, the “before” is not as important as the “after”, i.e., how you treat your customers post-breach.  And, that is the second reason why the insurance option became more attractive.  NSAP insurance quickly funds and allocates resources after a breach.  Sort of like an experienced swat team entering the picture.   Financial institutions started to realize the benefits in having risk professionals assist in the post-breach aftermath.  Finally, the IT departments began to realize insurance was not an indictment on their capabilities but actually a way to fund the costs of a breach without touching their own IT budgets.  In other words, rather than being opponents of the coverage, CTOs and CIOs became champions of it when they saw the direct benefits in obtaining the coverage.  

All of this begs the question.  Are financial insitutions smarter or are the folks from UTPA?  When does NSAP insurance begin to make sense?   As with most questions related to the purchase of insurance, it depends on your risk appetite, exposures, controls, and ability to financially withstand an incident.   Taking such factors into consideration, it is clear that the answer will vary widely.  It is suggested that management at least start the process of determining whether NSAP insurance makes – especially since the options are getting better by the day.   Who knows.  Maybe UTPA will ultimately change its position as more and more breaches of colleges and universities are reported.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

Hospital Data Continues to be at Serious Risk with Third-Party Vendors

According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk.  And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain.  The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.

One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program.  Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts  actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data.  There are certainly enough incidents to justify the attention.  For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company.  It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.

Lost or stolen laptops used by the contractors of business associates litter the data breach landscape.  Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common.  The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest.  A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen.  Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted.  It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.

There are two basic risk management suggestions to be gleaned from these incidents.   Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet  subcontractors to ensure they also have proper security controls in place.   In fact, this is actually dictated by the recent statutory changes referenced above.  And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents.  Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches.   NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.

Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.

IT Consultants, Middle Market Business, Risk Management, Small Business

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.

Electronic Health Records, Middle Market Business, Network Security, Privacy, Risk Management

HHS Issues Proposed New HIPAA Regulations and Breach Portal

Using a lavish press conference as the backdrop, HHS officials announced yesterday proposed changes to the HIPAA regulations as well as an updated web page listing those breaches impacting more than 500 individuals.  The purpose of the new Rules issued yesterday is to align the HIPAA rules with the HITECH Act passed last year.   Specifically, the press announcement states: 

The proposed modifications to the HIPAA Rules issued today include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans.  In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

Under the proposed Rules (which are 234 pages in length), (1) individuals would have more convenient access to their protected health information (PHI) if available in electronic format; (2) covered entities would only need to protect the health information of decedents for 50 years after their death, as opposed to protecting the information in perpetuity as is required by current HIPAA requirements; and (3) the definition of who constitutes a business associate is expanded.

If these proposed rules are adopted, the expanded view of what constitutes a business associate will include the following:

We propose to add language in paragraph (3)(iii) of the definition of “business associate” to provide that subcontractors of a covered entity – i.e., those persons that perform functions for or provide services to a business associate, other than in the capacity as a member of the business associate’s workforce, are also business associates to the extent that they require access to protected health information. We also propose to include a definition of “subcontractor” in §160.103 to make clear that a subcontractor is a person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate. Even though we use the term “subcontractor,” which implies there is a contract in place between the parties, we note that the definition would apply to an agent or other person who acts on behalf of the business associate, even if the business associate has failed to enter into a business associate contract with the person.

During the coming weeks there will be much analysis given to these proposed Rules but when it is all sorted out, it is anticipated that the above-listed three changes will be deemed to be among the more significant.  Giving individuals the ability to access their PHI in a particular electronic format will drive up costs, limiting record keeping to 50 years will reduce costs given current encryption technologies, and expanding the definition of business associates to a vague circular definition will throw a monkey wrench to just about any entity looking to comply with HIPAA.  These proposed Rules are certainly a nice gift to privacy lawyers looking to boost their summer hourly billing.

Copyright Infringement, Intellectual Property, Middle Market Business, Risk Management, Small Business

Exposure to Software Copyright Claims

Claims arising out of internally-used software continue to be a significant retained IT risk factor.  When President Obama picked the Business Software Alliance’s General Counsel Neil MacBride for a senior Justice Department post, it was a clear message that we will see increased software compliance audits – and possible new penalties.  The increasing use of open source software is also leading to unanticipated software copyright exposures. In other words, the reasons continue to mount why users of desktop software should carefully monitor their use of software and maintain careful records of each license.

Financial Reporting, Intellectual Property, Middle Market Business

Business Method Patents Live on Another Day: Bilski Decided by SCOTUS

Today’s Bilski v. Kappos decision rejected having a Federal Circuit test for determining patentable subject matter as a “knock out” test for business methods.  If affirmed, this Machine-or-Transformation Test (if applied as the sole test) would have likely rejected all business method patent applications.  As it stands, the United States is the only country that allows for business method patents.  After today’s United States Supreme Court decision, that remains the case.

In today’s decision, the Court ruled that “business methods” can be patentable if they meet the requirements set forth in longstanding precedent notwithstanding the fact they do not “recite a particular machine or apparatus, nor transform any article into a different state or thing.”  Although the Court ruled that the Machine-or-Transformation Test remains as a helpful tool when resolving patentable subject matter questions, it should not be considered a “knock-out” test.

This is a huge win for financial institutions and software companies with strong patent portfolios — as well as those law firms who help build and protect those portfolios.

Litigation Management, Middle Market Business, Risk Management, Small Business

No Need to Pierce Corporate Veil Under NJ Consumer Fraud Act

A New Jersey Appellate Division panel ruled on June 23, 2010 that principals of a company can be found personally liable under New Jersey’s Consumer Fraud Act (CFA) even without actual knowledge about alleged unlawful practices sufficient to pierce the corporate veil.   As well, the court ruled that there was no need to prove intent before triggering the treble damages regulations under the statute. 

The case involved a poorly constructed landscape project.  The lower court allowed the claims against the landscaping company to go to a jury because, in violation of CFA regulations, there was no written contract and the workers accepted final payment without obtaining permission from the plaintiffs after the construction plans were changed.   The claims against the principals of the defendant company were dismissed because the lower court found they did not directly participate in the project sufficient to pierce the corporate veil.

A jury found in favor of the plaintiffs and trebled damages to $490,000.  The plaintiffs appealed seeking to get the principals to pay the award.  The Appellate Division reversed the lower court’s decision and remanded to determine if the principals had any personal participation in any of the two regulatory violations.  In other words, there was no need to determine if there was culpable conduct sufficient to pierce the corporate veil but there was the need to at least show they participated in the conduct that gave rise to the regulatory violations.

This is a significant decision.  It evaporates by way of the New Jersey CFA the protections normally afforded directors and officers of a company.  The corporate immunity protecting principals of a company is usually only tossed aside for fraudulent conduct that is sufficient to pierce the corporate veil.   By allowing treble damages against principals without any such showing, this decision becomes yet another loud wake-up call for New Jersey private companies as to the benefits of Directors and Officers insurance.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management

iPad Exploit Exposes Email Addresses of 114,000 Users

According to a Gawker exclusive, a simple online request made on the AT&T network allowed access to user account information.  The information exposed in the breach “included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID.”   One security consultant offered that “recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID.”  It is unclear whether that is the case but there is no denying that some heavy hitting iPad users now have exposed email addresses and ICC IDs.

The article points out that one impacted iPad user is William Eldredge, who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”  Here is a listing of some others:

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

In the media and entertainment industries, “affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.”

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

The lesson here is that AT&T did not anticipate a hack that was apparently pretty obvious while Apple did no wrong — other than align its fortunes to AT&T.

Accounting Firm, Financial Reporting, Law Firm, Middle Market Business, Risk Management

Lehman, D&O Liability and Mark-to-Market Reporting

The Devil’s Casino, Vicky Ward’s first book, is the latest account of the fall of Lehman Brothers.  Released in April, this Lehman tome applies  a gossipy approach to storytelling.  Although we learn much about the shopping habits of some Lehman wives, repo transactions are nowhere to be found.   The book, however, becomes noteworthy when Ward details a September 9, 2008 meeting between JPMorgan’s Jamie Dimon and the Fed’s head Ben Bernake (on page 200) that purportedly directly led to JPMorgan’s request that Lehman provide $5 billion more in collateral. Less than a week later, Lehman filed its bankruptcy petition (the largest in US history) ostensibly given its lack of liquidity brought on by the collateral call of its clearing bank, JPMorgan. 

In a Report by Lehman’s bankruptcy examiner, dated March 11, 2010, the issue of JPMorgan’s collateral demand was analyzed and determined to be barely actionable.  The Report states: 

the Examiner concludes that the evidence may support the existence of a colorable claim – but not a strong claim – that JPMorgan breached the implied covenant of good faith and fair dealing by making excessive collateral requests to Lehman in September 2008.  A trier of fact would have to consider evidence that the collateral requests were reasonable and that Lehman waived any claims by complying with the requests.  

(Report of Anton R. Valukas, Examiner at page 1073)

On the heels of this Report and the Ward book, on May 27, 2010, the Lehman estate sued JPMorgan.  The suit takes a different position regarding the relationship between JPMorgan and Lehman by alleging that JPMorgan’s breach of duty was actionable. 

Unlike JPMorgan, Lehman’s board and officers were essentially given a free pass by Lehman’s bankruptcy estate as well as all regulators.  The Lehman Examiner’s Report actually spends much ink analyzing Delaware fiduciary law yet concludes numerous potential fiduciary lapses were not colorable claims.   On the other hand, a bank that potentially obtains crucial information from a third party (a governmental third party with a near real-time raw account of Lehman’s financial status) and merely seeks to protect its own interests, is forced to defend itself in a costly legal battle.   To many, it makes little sense that Lehman’s directors and officers were exonerated by regulators and Lehman’s bankruptcy Examiner.  Although the existing shareholder suits and claims made by those who sustained direct harm may eventually hit their mark, it is just not the same as potential jail time or a large personal SEC fine.  Not even close.  It is easy to argue that some Lehman folks should have paid with more than the inconvenience of a deposition.

If FASB had acted a bit more aggressively two years ago, maybe none of this would have even happened.  It would have been interesting to have seen FASB actually go through with its Exposure Draft of two years ago regarding FASB Statement 5 (loss contingency accounting) and FASB Statement 133 (hedging strategy accounting).  The vast opposition to the drafts caused FASB to abandon its plans.   Much of the opposition was typified in the McDermott Will & Emery letter that opined if the suggested changes to FASB Statement 5 were made, the opposing side to a filing entity would be able to learn litigation strategy.  If the proposed changes had matured (FASB Statement 5 has not changed since 1975) some of the decisions made by Lehman may have been altered or some of the actions may have been more cleanly delineated as wrongful.  Either way, there would have been more clarity regarding the propriety of their actions. 

As it stands, the Lehman saga provides some guidance to directors and officers looking to see how insulated they are from their financial accounting decisions.  They are pretty insulated given current standards. 

FASB may now be ready to change that dynamic.  It will revive the FASB Statement 5 Exposure Draft in the second quarter of 2010 – now with only a 30-day comment period.  And, FASB issued on May 26, 2010 an Exposure Draft that provides guidance regarding the financial reporting of derivative instruments and hedging strategies.  The overall approach taken moves towards a “mark-to-market” approach for derivative instruments that will have a “seismic effect” on how banks value loan portfolios beginning in 2013 (for large banks) and 2017 (for regional and community banks).  It remains to be seen what FASB will ultimately do given the negative comments it is certain to receive prior to the September 30, 2010 comment deadline.   The takeaway is that FASB  is finally taking a serious look at how companies report on loss contingencies and asset valuations.

All reporting companies – not just financial institutions – should obviously monitor how this and other related financial reporting initiatives evolve.   To a large degree, these accounting standards dictate the extent to which firms such as Lehman can push the envelope.  Although a widening of the reporting net may bring with it a separate set of problems, the change will certainly cause executives to think twice before being coy about a lack of liquidity.  As seasoned investors themselves, reporting officers should probably apply a “Would I want to know this information?” test the next time they are on the fence about the materiality of an item.  True mark-to-market reporting (not Lehman’s “mark-to-make believe” strategy) may bring on headaches for companies with many assets  having big value swings.  Nevertheless, it certainly seems to be part of the reporting standard of the future so you might as well get used to it.