Category Archives: Small Business

Accounting Firm, Financial Reporting, Law Firm, Privacy, Risk Management, Small Business

File Your Beneficial Ownership Information Report

Found in the nearly 1,500-page National Defense Authorization Act of 2021, is the 21-page Corporate Transparency Act (“CTA”), 31 U.S.C. § 5336.  The CTA currently requires most entities incorporated or doing business under State law to disclose personal stakeholder information to the Treasury Department’s criminal enforcement arm, Financial Crimes Enforcement Network (“FinCEN”), including Tax ID numbers, date of birth, government identification number and copies of government identification documents of all beneficial owners and company state formation applicants (collectively a Beneficial Ownership Information Report or “BOI Report”).

According to Congress, this law is intended to prevent financial crimes such as money laundering and tax evasion committed using shell corporations.  The relevant Constitutional question recently put before an Alabama federal court was whether Congress’ broad powers to regulate commerce, oversee foreign affairs and national security, and impose taxes and related regulations were enough to power such a massive information grab. 

In a 53-page opinion, Judge Liles C. Burke of the Northern District of Alabama answered this question in the negative and struck down the CTA as unconstitutional.  See Mem. Op. at 3 (“Because the CTA exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals, the Plaintiffs are entitled to judgment as a matter of law.”).   As recognized by Judge Burke, there was no comparable State or federal law to the CTA.  Mem. Op. at 35.

As a result of Judge Burke’s March 1, 2024 ruling – which began its appellate journey on March 11, 2024, all the plaintiffs in that case are for the time being exempt from filing a BOI Report – including the over 65,000 businesses and entrepreneurs located in all 50 states who are members of Plaintiff National Small Business Association (“NSBA”).  As for everyone else who may be a Reporting Company, the CTA very much still applies.

By way of background, FinCEN issued a final rule implementing the CTA on September 29, 2022 and made that rule effective as of January 1, 2024.  87 Fed. Reg. 59498.  Because only the plaintiffs in the Alabama action are safe from the CTA’s reporting reach all other businesses operating in the United States who are considered Reporting Companies will have to comply with the Rule. 

More specifically, the CTA requires disclosures from “reporting company[ies],” defined as “corporation[s], limited liability company[ies], or other similar entit[ies]” that are either “(i) created by the filing of a document with a secretary of state or a similar office under the law of a State or Indian Tribe, or (ii) formed under the law of a foreign country and registered to do business in the United States.” 31 U.S.C. § 5336(a)(11)(A). The CTA exempts twenty-four kinds of entities from its reporting requirements, including banks, insurance companies, and entities with more than twenty employees, five million dollars in gross revenue, and a physical office in the United States. 31 U.S.C. § 5336(a)(11)(B).  In other words, this statute not only targets shell companies involved in criminal conduct or fraud, it expressly hits most small business owners in the country as well.

“FinCEN estimates that there will be approximately 32.6 million reporting companies in Year 1, and 5 million additional reporting companies each year in Years 2–10.”   87 Fed. Reg. at 59549. The CTA requires these millions of entities to disclose the identity and information of any “beneficial owner.” 31 U.S.C. § 5336(b)(1)(A). A beneficial owner is defined as “an individual who . . . (i) exercises substantial control over the entity; or (ii) owns or controls not less than 25 percent of the ownership interests of the entity,” with some exceptions for children, creditors, and a few others. 31 U.S.C. § 5336(a)(3).

For new entities formed or operating in the United States after January 1, 2024, the CTA requires them to disclose the identity and information of both Beneficial Owners and “Applicants,” defined as “any individual who files an application to form a corporation, LLC, or other similar entity under the laws of a State or Indian Tribe; or registers [a foreign entity] to do business in the United States.” 31 U.S.C. § 5336(a)(2).  Such filings must be made within 90 days of the relevant state filings and those companies formed or operating in the United States prior to January 1, 2024 have until year end.

Reporting entities must give FinCEN a Beneficial Owner or Applicant’s full legal name, date of birth, current address, and identification number from a driver’s license, ID card, or passport. 31 U.S.C. § 5336(a)(1), (b)(2)(A).   Under the final rule, reporting entities are also required to submit an image of the identifying document. 31 C.F.R. § 1010.380(b)(1)(ii)(E). If any of that information changes, the reporting company must update FinCEN, 31 U.S.C. § 5336(b)(1)(D), and FinCEN retains Applicant and Beneficial Owner information on an ongoing basis for at least five years after the reporting company terminates. 31 U.S.C. § 5336(c)(1).  Determining whether someone is a Beneficial Owner can be somewhat difficult given it requires a determination of who “has substantial influence over important decisions made by the reporting company” among other potentially vague criteria.  31 C.F.R. § 1010.38 (d)(1)(i)(C).

A willful provision of false or fraudulent beneficial ownership information or failure to report “complete or updated beneficial ownership information to FinCEN” by “any person” is punishable by a $500 per day civil penalty and up to $10,000 in fines and 2 years in federal prison, 31 U.S.C. § 5336(h)(1), (3)(A); a knowing and unauthorized disclosure or use of beneficial ownership information by “any person” is punishable by a $500 per day civil penalty, along with a $250,000 fine and 5 years in federal prison, 31 U.S.C. § 5336(h)(2), (3)(B); and a knowing and unauthorized use or disclosure while violating another federal law “or as part of a pattern of any illegal activity involving more than $100,000 in a 12-month period” by “any person” is punishable with a $500,000 fine and 10 years in federal prison, 31 U.S.C. § 5336(h)(3)(B)(ii)(II).

As recognized by Judge Burke, “[t]he ultimate result of this statutory scheme is that tens of millions of Americans must either disclose their personal information to FinCEN through State-registered entities, or risk years of prison time and thousands of dollars in civil and criminal fines.”  Mem. Op. at 8.  Given the importance of this information, FinCEN already compels banks and other financial institutions to obtain nearly identical information from State entity customers and provide it to FinCEN.  

More specifically, FinCEN’s 2016 Customer Due Diligence rule requires “covered financial institutions” to “identify and verify beneficial owners of legal entity customers.” 31 C.F.R. § 1010.230(a).   As with the CTA, this rule defines a “legal entity customer” as “a corporation, limited liability company, or other entity that is created by the filing of a public document with a Secretary of State or similar office, a general partnership, and any similar entity formed under the laws of a foreign jurisdiction that opens an account,” unless the entity fits into one of sixteen exemptions – eight less than the CTA exemptions. 31 C.F.R. § 1010.230(e)(1)-(2).

The CDD rule also defines beneficial owners in the same manner: “Each individual . . . who owns, directly or indirectly, 25 percent or more” of the entity; has “significant responsibility to control, manage, or direct a legal entity,” including “a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, Managing Member, General Partner, President, Vice President, or Treasurer)” and “[a]ny  other  individual  who  regularly  performs  similar  functions.”  31 C.F.R. § 1010.230(d)(1)-(2).

In other words, FinCEN’s CDD rule and the CTA provide FinCEN with nearly identical information.  The CTA itself acknowledges the similarity. See 31 U.S.C. § 5336(b)(1)(F) (requiring the Secretary of the Treasury to promulgate regulations that “collect [beneficial owner and applicant] information . . . in a form and manner that ensures the information is highly useful in . . . confirming beneficial ownership information provided to financial institutions.” (emphasis added).  See also Pub. L. 116-283 § 6402 (6)(B) (134 STAT. at 4604 – 4605) (“It is the sense of Congress that . . . [collection of] beneficial ownership information . . . [will] confirm beneficial ownership information [already] provided to financial institutions.”).

According to FinCEN’s compliance with the Paperwork Reduction Act of 1995: “The estimated average burden associated with this collection of information from Reporting Companies is 90 to 650 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively. The estimated average burden associated with Reporting Companies updating information previously provided is 40 to 170 minutes per respondent for reporting companies with simple or complex beneficial ownership structures, respectively.”

Given the appellate route will likely take well over a year to resolve and the NSBA plaintiffs no longer have any injury to adjudicate – which might have expedited an appeal if they had, it is incumbent on business owners to take the CTA at its face value and comply with the implemented regulations of FinCEN.

Digital Assets, Network Security, Privacy, Risk Management, Small Business

Exchanges May Crack Down on Ransomware OFAC Risk

On April 22, 2021, Chainalysis published its findings on the OFAC sanctions violation risk tied to ransomware payments.  According to Chainalysis, 15% of ransomware payments paid in 2020 were at risk of OFAC sanctions.  Even though lower than the measured risk from 2016 – 2018, last year’s numbers remain an uptick from 2019.  

Chainalysis discovered ransomware victims paid out in 2020 more than $50 million worth of cryptocurrency to addresses that carried sanctions – with mainstream exchanges receiving “more than $32 million from ransomware strains associated with sanctions risks.”  Given the public market embrace of crypto exchanges, it is very likely those exchanges seeking greater regulatory scrutiny will eventually implement curbs to address the OFAC October 2020 advisory – eventually making it more difficult for smaller businesses to satisfy ransomware demands.

Behavioral Advertising, Middle Market Business, Network Security, Privacy, Risk Management, Small Business, Technology Law

Our Current Cyber Pandemic Will Also Subside

On April 17, 2020, it was reported that researchers at Finland’s Arctic Security found “the number of networks experiencing malicious activity was more than double in March in the United States and many European countries compared with January, soon after the virus was first reported in China. ”

Lari Huttunen at Arctic Security astutely pointed out why previously safe networks were now exposed: “In many cases, corporate firewalls and security policies had protected machines that had been infected by viruses or targeted malware . . . . Outside of the office, that protection can fall off sharply, allowing the infected machines to communicate again with the original hackers. “

Tom Kellerman – a cybersecurity thought leader, distills it this way: “There is a digitally historic event occurring in the background of this pandemic, and that is there is a cybercrime pandemic that is occurring.”

While there are certain internal ways of addressing cybersecurity threats arising from a viral pandemic, the exposures now faced by corporations become doubly damaging when the outside resources absolutely necessary to combat active threats are considered off-budget or not a critical enough priority. Smart companies generally survive stressful times by prioritizing with some foresight. Network security during a Cyber Pandemic should be a top priority no matter what size business.

During our Cyber Pandemic, companies recognizing and properly addressing the potential damage caused by threat actors will not only survive minor short-term hits to their bottom line caused by paying outside resources, they will likely be the ones coming on top after both Pandemics subside. There is definitely a light at the end of the tunnel for those willing to take the ride – just continue using trusted vehicles to get you there.

Behavioral Advertising, Middle Market Business, Network Security, Privacy, Risk Management, Small Business, Social Media

Addressing COVID-19 Cybersecurity Threats

When implementing COVID-19 business continuity plans, companies should take into consideration security threats from cybercriminals looking to exploit fear, uncertainty and doubt – better known as FUD.  Fear can drive a thirst for the latest information and may lead employees to seek online information in a careless fashion – leaving best practices by the wayside.

According to Reinsurance News, there has already been “a surge of coronavirus-related cyber attacks”.  Many phishing attacks “have either claimed to have an attached list of people with the virus or have even asked the victim to make a bitcoin payment for it.” Not all employees are accustomed to the risks from a corporate-wide work from home (WFH) policy given the previous lack of intersection between work and personal computers. 

One cyber security firm released information outlining these WFH risks. And,  another security provider offers a common-sense refresher:  “If you get an email that looks like it is from the WHO (World Health Organization) and you don’t normally get emails from the WHO, you should be cautious.” In addition to recommendations made by security consultants, there are privacy-forward recommendations that will necessarily mitigate against phishing exploits.  For example, WFH employees should be steered towards privacy browsers such as Brave and Firefox to avoid fingerprinting and search engines such as Duckduckgo for private searches.  A comprehensive listing of privacy-forward online tools is found at PrivacyTools.IO.    

Criminals have already exploited the current FUD by creating very convincing COVID-19-related links.   As reported by Brian Krebs, several Russian language cybercrime forums now sell a “digital Coronavirus infection kit” that uses the Hopkins interactive map of real-time infections as part of a Java-based malware deployment scheme. The kit only costs $200 if the buyer has a Java code signing certificate and $700 if the buyer uses the seller’s certificate. 

At a very basic level, WFH employees should be reminded not to click on sources of information other than clean URLs such as CDC.Gov or open unsolicited attachments even if they appear coming from a known associate.  Now that banks, hotels, and health providers are  sending emails alerting their clients of newly-implemented COVID-19 procedures, it is especially easy to succumb to spear phishing exploits – which is the hallmark of state-sponsored groups.  As recently reported, government-backed hacking groups from China, North Korea, and Russia have begun using COVID-19-based phishing lures to infect victims with malware and gain infrastructure access.  These recent attacks primarily targeted users in countries outside the US but there should be little doubt more groups will focus on the US in the coming weeks. Until ramped up testing demonstrates that the COVID-19 risk has passed, companies are well advised to focus some of their security diligence on these targeted attacks.

This does not mean employees need to be fed yet more FUD – this time regarding network security, without some good news. Employees can be reminded of the fact a decade ago we survived another pandemic. Specifically, between April 2009 and April 2010, there were 60.8 million cases, 274,304 hospitalizations, and 12,469 deaths in the United States caused by the Swine Flu. Globally, the Swine Flu infected between 700 million and 1.4 billion people, resulting in 150,000 to 575,000 deaths. Moreover, the young were a vector for Swine Flu yet are not for COVID-19. And, a large band of 25 – 35 year olds are better in two days – hardly a bad cold, for COVID-19 whereas there was no such band for the Swine Flu. On the downside, COVID-19 has a more efficient transmission mechanism than Swine Flu and we are better suited to develop influenza vaccines than we are for coronavirus vaccines.

UPDATE: April 23, 2020

The CDC reports in its latest published statistics there were 802,583 reported cases of COVID-19 and 44,575 associated deaths. Without a doubt, this pandemic is certainly much worse that the Swine Flu pandemic as previously reported by the CDC. Moreover, the current “panic pandemic” certainly shows no indications of subsiding.

Whether the governmental measures taken actually ratcheted up the body count or caused them to diminish is left for historians and clinicians to analyze. The hard fact remains the body count keeps going up and the U.S. economy is still on lock down as of April 23, 2020.

UPDATE: May 1, 2020

On April 30, 2020, it was reported Tonya Ugoretz, deputy Assistant Director of the FBI Cyber Division, stated the FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – IC3 normally averages 1,000 daily complaints.

UPDATE: May 6, 2020

On May 5, 2020, a joint alert from the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre warned of APTs targeting healthcare and essential services.

The alert warned of “ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses.”  This May 5, 2020 alert follows an April 8, 2020 Alert that warned in broader terms of malicious cyber actors exploiting COVID-19.

APTs are conducted by nation-state actors given the level of resources and money needed to launch such an attack.  Moreover, they generally take between eight and nine months to plan and coordinate before launching.  It is particularly disheartening that these recent attacks include those launched by state-backed Chinese hackers known as APT 41.  As one cybersecurity firm points out in a recently-released white paper:  “APT41’s involvement is impossible to deny.” 

Distilled to its essence, the uncovered APT41 attacks mean that before COVID-19 was even on US shores, Chinese state-actors were planning attacks targeting the healthcare and pharmaceutical sectors.  One can only hope the cyberattacks were not coordinated alongside the spread of the virus – a virus that only became public months after a coordinated attack would have been first planned.

Middle Market Business, Network Security, Privacy, Risk Management, Small Business

Back to School for Ransomware

Even though the first significant uptick in ransomware attacks began over three years ago, a steady increase in frequency and severity has likely now made ransomware exploits the number one security threat faced by most businesses today.  McAfee places the ransomware growth rate for the last quarter at 118%.  Many smaller businesses were previously on notice but chose to ignore the warning signs. Thankfully, after the 2017 ransomware attacks unleashed by the Wannacry strain of Cryptolocker, some companies did address ransomware risk by implementing better employee training while others decided to upgrade legacy software and initiate offsite backups.

Those who did not adequately address this risk, however, are now facing much larger extortion demands.  Also, the risk landscape has changed dramatically over the past several years with  ransomware becoming an equal opportunity attack that will now target local governments as well as dental offices. Indeed, even first grade students are now being impacted by network security intrusions that not too long ago only previously targeted only large universities. 

Despite the recent public trend of paying these extortion demands, the FBI has long advocated not paying a ransom in response to a ransomware attack. Specifically, the FBI has said:  “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Another result of this increase in activity has been an increase in insurance purchased to cover an extortion demand as well as the related expenses incurred during a ransomware attack.  For example, the City of Baltimore may soon approve spending $835,000 for $20 million in coverage but only because it previously sustained a ransomware attack that set it back over $18 million

In fact, some have argued that by having insurance for this exposure the industry itself is actually at the root of increased ransomware activity.  Those in the security industry correctly point out that what drives these actors turns more on quick conversion rates rather than whether an insurer stands behind a victim.  To suggest the insurance industry is the cause of this problem gives threat actors way too much credit while completely ignoring the benefits derived from the cyber insurance underwriting process.

In the same way it is never too late to go back to school, it is never too late to begin importing a more robust security and privacy profile into an organization – which is the only real way to diminish the risk of a ransomware attack.  As suggested in 2016:  “Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.” 

Law Firm, Middle Market Business, Network Security, Privacy, Risk Management, Small Business

The Red Flag Program Clarification Act of 2010 Passes House and Senate

Looking to beat the end of the year enforcement deadline, the Senate (on November 30, 2010) and the House (on December 7, 2010) have now both voted to pass a law that would limit the scope of the FTC’s Red Flags regulations.  Although the ABA lawsuit seeking to exempt lawyers from the scope of these regulations is on appeal, it appears as if that suit will soon be dismissed as moot.

First introduced by Sen. John Thune, The Red Flag Program Clarification Act of 2010, S. 3987, would define a creditor as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”  Sen. Thune’s web site statement regarding the regulations states that action was necessary given the FTC was threatening small businesses with its regulations. 

As written, the existing law applies to “creditors,” a term the FTC interpreted broadly to include professionals who regularly deferred payment on services.  The FTC had delayed enforcement of these regulations numerous times due to pressure by the ABA and AMA given that the sweeping nature of the regulations would take into account professionals who would incur significant costs to address a perceived slight exposure.   As recognized on the House floor by Rep. John Adler (D-N.J.),“When I think of the word ‘creditor,’ dentists, accounting firms and law firms do not come to mind.”

Lost on many is the fact these regulations will remain in force and will still impact business owners throughout the country, including financial institutions, car dealers, contractors, utilities, phone providers, retailers (if financing is provided), mortgage brokers, etc.  Moreover, even if a business may no longer be “technically” within the rubric of the regulations, it may be a good best practice to still comply.  For example, an ID theft victim may look to the FTC Red Flags regulations to help determine a baseline reasonableness standard.  Although estimates of compliance costs range from $1,000 to $1,500 for small business owners, this amount may pale when compared to the expenses incurred in defending a data breach claim.

[Update:  December 18, 2010]
President Obama signed the Act into law.

Law Firm, Media, Small Business

NLJ: Smaller Law Firms Have Digital Advantage

In a recent National Law Journal article, Adrian Dayton argues that smaller law firms have been much better at jockeying for online positioning and expanding their digital footprint.  Driven by the ultimate goal of search engine optimization (SEO), these firms have been using blogs, FaceBook, Twitter and LinkedIn to get noticed in ways the largest firms are not.

As pointed out by the author, run a Google search for “class action defense”and you will notice that the top listing is a blog produced by the law firm of Jeffer Mangels Butler & Mitchell — a firm with three offices and 138 attorneys.  Given  its blog, the firm dominates in SEO despite being relatively small.  Google’s search algorithms, including its PageRank methodology, place a premium on the sort of fresh content found on blogs.  Search results slanting in favor of smaller law firms pretty much run across the board given “the fact that in the entire AmLaw 100 there are more than 84,000 lawyers and only 130 law blogs.”  Not much in the way of competition.  In other words, if you want to get up in the rankings and get noticed by new clients looking for your perspective on legal matters, having a blog has been the quickest path to achieving that goal.

Why does any of this matter?

Well, according to a Greentarget/ALM survey, 35% of in-house counsel had visited a law blog within the past 24 hours and forty-three percent of in-house counsel cited law blogs among their top “go-to” sources for news and information.  This sort of “drip marketing” may take law firms months or even years to obtain an engagement given the strong  existing relationships that first need to be shaken loose.  On the other hand, it is likely the most cost-effective way to get the ball rolling.

Given free publishing tools such as WordPress coupled with inexpensive professional themes and low-cost hosting options, the only real cost is the time it takes to write the blog post.  If you are a competent brief writer, it should take you no more than 30 minutes of your time every few days.   And, as correctly pointed out by Adrian Dayton, this small time commitment is well worth it.  Try it.  You may even enjoy the experience.  Just make sure what you write is not something that will impact a client relationship — after all, that is likely the reason larger firms have generally stayed away from the blogosphere.

Middle Market Business, Small Business

Patient Protection and Affordable Care Act Changes Begin Today

It’s been six months since passage of the administration’s healthcare reform act — the Patient Protection and Affordability Care Act (PPACA).   As reported in newspapers around the country, that means that for those health plans that begin today: 

  • Parents will be able to keep their young adult children on their group health plan up to age 26, regardless of whether the adult child lives with the parent, is a full-time student, disabled or married.
  • Insurance companies will be banned from dropping coverage when an enrollee gets sick.
  • All new plans must offer free preventive services, such as mammograms, colonoscopies and certain child preventive health-care services, meaning plans can’t charge deductibles, co-pays or co-insurance.
  • All employer plans and new plans in the individual market will be prohibited from denying coverage to children under age 19 with pre-existing conditions.
  • Parents will be able to select a pediatrician as the primary care provider for their children.
  • Female enrollees will be able to obtain obstetrical/gynecological specialist services without a referral from another primary care provider.
  • Group plans will be banned from imposing lifetime benefit limits and will start gradually eliminating annual benefit limits.
  • New plans must provide consumers access to an internal and external claims appeals process.

For plans operating on the calendar year, these new PPACA requirements will take effect on January 1, 2011.

IT Consultants, Middle Market Business, Risk Management, Small Business

Tech Vendors Need Strong Hybrid Mix of Legal and Risk Management Counsel to Avoid Fraud Lawsuits

A growing list of technolgy vendor settlements should be a wake up call to tech vendors both large and small.   For example, last month, HP resolved a legacy EDP lawsuit to the tune of $460 million.  The facts of the case are not very complicated.  A decade ago, British firm BSkyB retained EDS to provide a CRM system for BSkyB’s help centers.  Two years later the contract was terminated and BSkyB completed the job using its own IT staff.  It also filed an action against EDS for misrepresention regarding its capabilities.  Although the initial contract included a liability clause that capped damages, the clause was ultimately rendered invalid due to fraud.

This past May, SAP and Waste Management announced the settlement of a lawsuit involving a failed ERM implementation.   Waste Management sued SAP for fraud in March 2008 over an allegedly failed waste and recycling revenue management system.   Waste Management allegedly sustained direct damages of over $100 million.   SAP responded in its original Answer that Waste Management didn’t “timely and accurately define its business requirements” nor provide “sufficient, knowledgeable, decision-empowered users and managers” to work on the project.  Much of Waste Management’s allegations turned on representations made by salespersons who were allegedly only concerned about licensing software that would create larger year-end bonuses.   According to its revised complaint, if a newer version had been used, “the multi-million dollar sales price for the software could not be immediately recognized as revenue under the accounting rules for revenue recognition,” and those salespeople involved in the deal would not receive bonuses.  According to its quarterly earnings filing regarding the reported settlement, Waste Management received “a one-time cash payment” in accordance with the settlement. The terms of the settlement were not disclosed.     

The price of a tech suit goes down steeply after fraud charges are dismissed.  For example, a lawsuit brought by a county government went from $10 million in alleged damages to an eventual settlement of $575,000 given there were only breach of contract claims remaining  after the fraud claims were earlier dismissed from the action.   Another action brought by yet another county government may not go as well for the tech vendor (Deloitte Consulting) given the fraud claims remain front and center throughout the complaint filed on May 28, 2010.

Claims are not only brought against tech vendors for millions of dollars.  Last year, Epicor was sued after a client spent $244,656.42 on an ERP implementation.  Again, the complaint sounded in contract breach but had negligent representation as well as fraud claims.  Here’s a list of similar suits

Moreover, tech vendors can include those who sell products such as iPhones rather than license software.   Earlier this month, Apple was hit with numerous suits seeking damages arising from the fact the latest iPhone has significant reception issues depending on how the phone is held.  Specifically, one suit accuses Apple of “general negligence, breach of warranty, deceptive trade practices, intentional misrepresentation, negligent misrepresentation, and fraud by concealment.”

For over twenty-five years, courts have allowed fraud claims to mingle with the negligence and breach of contract claims typically brought against technology vendors.  It is so much easier to prove (as was done in the EDP suit) that someone lied when contracting as opposed to showing how a contracted for systems implementation was not technically performing as promised.  Moreover, if fraud is proven, it will not only vitiate the limitation of liability and exclusion of consequential damages found in nearly all tech agreements, punitive damages may also become available.  In other words, a fraud claim is the magic bullet used by most plaintiffs to go around iron-clad contracts and the bar against awarding punitive damages in a contract dispute.

To best combat fraud claims, there are certain things that a tech vendor should do before, during and after a contract is negotiated.  For counsel on that front and for access to related risk management and contracting tools, please reach out.

Copyright Infringement, Intellectual Property, Middle Market Business, Risk Management, Small Business

Exposure to Software Copyright Claims

Claims arising out of internally-used software continue to be a significant retained IT risk factor.  When President Obama picked the Business Software Alliance’s General Counsel Neil MacBride for a senior Justice Department post, it was a clear message that we will see increased software compliance audits – and possible new penalties.  The increasing use of open source software is also leading to unanticipated software copyright exposures. In other words, the reasons continue to mount why users of desktop software should carefully monitor their use of software and maintain careful records of each license.