Labor Social Media Update: Lawsuit Seeking Ownership of Former Employee’s Twitter Account and the NLRB Summary

Published on March 8, 2012

There is no disputing the fact that social media has changed the speed of communications and mode in which we communicate. It should also come as no surprise that labor relations have been impacted by the near ubiquitous use of social media tools – including how social media has blurred the line between business and personal time. See Stengart v. Loving Care Agency, Inc., 201 N.J. 300, 990A.2d 650 (2010), reasoning that as computer and online technologies evolve, “the line separating business from personal activities can easily blur.”

In fact, to assist companies on the topic, in August 2011, the National Labor Relations Board (NLRB) released a report containing case discussions involving social media usage. Recognizing that it is still a “hot topic,” the NLRB’s Acting General Counsel (AGC) has released another report further addressing emerging social media labor law issues. In his January 24, 2012, report, the AGC cited multiple recent cases in which the NLRB found that employers violated the National Labor Relations Act (NLRA) when taking adverse action against employees for engaging in criticism of their employers on social media, and/or for maintaining overly broad workplace polices touching on social media issues. In this regard, one trap for unwary employers is that the NLRA protects “concerted activity” by employees, even when the workforce is not unionized.

One takeaway from the AGC’s case discussions is that an increasingly aggressive, pro-employee NLRB will likely deem certain employee comments protected despite the fact that they are published on Facebook or in the Twitterverse to potentially very large audiences. Simply put, the NLRB is ruling that such comments/discussions do not lose their protection merely because they have a much broader audience than one that could fit into a break room. For employers, the potential for damage to business reputations has increased along with the risk of legal liability under the NLRA for taking remedial action, necessitating careful review of employer social media policies and planned disciplinary actions for conduct in that realm.

A recent California decision should cause some employers and employees to reevaluate the relative value of social media content. Some of the questions raised by Phonedog v. Kravitz include:
• Who owns a Twitter account that is used by an employee partially during the work day to benefit her employer?
• Is a Twitter list a potential customer list owned by the employer?
• Should the naming convention of a Twitter account contain the employer’s name?

On January 30, 2012, United States Chief Magistrate Judge Maria-Elena James refused to dismiss an action brought against Noah Kravitz by his former employer PhoneDog after he failed to relinquish his Twitter account upon leaving the company. During the curse of Kravitz’s eight-month employment at PhoneDog, the @PhoneDog_Noah Twitter account generated approximately 17,000 followers. When it filed a complaint in July 2011, PhoneDog alleged $340,000 in damages – $42,500 ($2.50 x 17,000) for each month that Mr. Kravitz used the account, PhoneDog asserted claims under California law for (1) misappropriation of trade secrets, (2) intentional interference with prospective economic advantage, (3) negligent interference with prospective economic advantage and (4) conversion.

In Phonedog v. Kravitz, No. C 11-03474, slip op. at 10 (N.D.Ca November 8, 2011), Chief Magistrate Judge James found that “to the extent that Mr. Kravitz has challenged whether the password and Account followers are trade secrets and whether Mr. Kravitz’s conduct constitutes misappropriation requires consideration of evidence beyond the scope of the pleading. Thus, such challenges should be raised at summary judgment on a fully developed evidentiary record.” Interestingly, this ruling was made despite the fact that Kravitz’s followers can be found easily by anyone on Twitter, and his password was not something Kravitz would likely disclose to a third party. Apparently, the court was unwilling to take judicial notice of such facts.

On January 30, 2012, the court revisited its earlier ruling and determined that the interference claims were sufficient to survive a motion to dismiss. Noteworthy in that decision was the Court’s acceptance of PhoneDog’s allegations that due to Kravitz’s failure to relinquish his Twitter account, “there is decreased traffic to [the] website through the Account, which in turn decreases the number of website pageviews and discourages advertisers from paying for ad inventory on PhoneDog’s website.” Phonedog v. Kravitz, No. C 11-03474, slip op. at 2 (N.D.Ca January 30, 2012), quoting First Amended Complaint (FAC) at 36. And, “as a direct and proximate result of Defendant’s wrongful acts, PhoneDog has suffered damage to its business by way of lost advertising revenue. …” Based on these factual allegations, the Court was able to draw a reasonable inference that PhoneDog’s economic relationship with at least one advertiser was disrupted by Kravitz’s alleged conduct.

Given that the motions to dismiss were only the initial missiles fired by Kravitz, it may very well be that this case will ultimately be decided via summary judgment – especially since the Court had on several occasions referenced the potential viability of such motions in its rulings. Indeed, on February 2, 2012, Mr. Kravitz added to his legal team a co-counsel who might even help in that regard. Until such motion is filed, the PhoneDog takeaway is that companies should likely revisit their employment agreements to take into consideration ownership rights in social media content – whether such rights may spring from a Twitter account or a Facebook fan page.
While they are reviewing their social media policies, it would not hurt employers to be mindful of the increased data security risk inherent in allowing employees to access social media at the workplace.

A July 2011 study by the Ponemon Institute found that a company’s increase in usage of social media is directly related to an increase in its risk for viruses and malware. The Ponemon study found that more than half of the businesses surveyed reported an increase in cyber-attacks as a result of employees’ usage of social media networks. Interestingly, only 35 percent of the respondents deployed a social media “acceptable use” policy – with a similar percentage actually enforcing the policy if they had one.

Although social media usage remains a moving target, it is clearly a target employers should no longer be afraid to tackle. Along with the marketing benefits inherent in using social media, management should realize the stakes may be too high to sit on the sidelines when it comes to dealing with the labor issues arising from increased employee social media usage.

Kevin Donovan is a partner in the firm’s New Jersey office and head of the New Jersey Labor & Employment Law practice. His practice embraces all aspects of labor law and employment litigation and counseling, including certain employee health benefits issues facing employers. Kevin has almost 30 years of labor and employment law experience, representing employers of all sizes

Filed in Liabilities,Secruity and IT | No replies

Reversal of Fortune: Exposure to Insurers from U.S. Securities Class Actions Against Chinese Companies

Published on February 24, 2012

By Edward J Kirk and Anthony Sassi

Chinese companies listed in the U.S. are being targeted by plaintiffs in class action lawsuits alleging fraudulent misrepresentations, inadequate disclosures and improper transactions. Mr. Anthony Sassi and Mr. Edward Kirk, both from Clyde & Co, give the background and update on this development.

Given the volatility in the financial markets since 2008 and decreasing yields on many investments, not to mention concerns about capital preservation, it should come as no real surprise that some investors are attracted by increased opportunities to “invest” in Chinese businesses that supposedly offer aggressive returns. Bullish investors get the opportunity to invest in the China growth story, Chinese businesses raise vast amounts of money on the publicly traded exchanges in the U.S. and professional advisers (brokers, auditors and, one daresay, lawyers) get paid substantial fees to help structure the deals that result in Chinese businesses being publicly listed.

In some instances, however, these investment opportunities are too good to be true. Investors have seen billions in dollars wiped off the market capitalization of some dubious listed Chinese businesses. In some cases, fraud is suspected. One of the ultimate weapons for these investors is a class action lawsuit in the U.S. against the Directors and Officers (D&O) of the company and its professional advisers. This development calls into question the adequacy of D&O insurance (where applicable), increases advisers’ exposure to risk and raises coverage issues under professional indemnity insurance policies.

Background
A reverse merger is a transaction whereby an existing “shell company” (a public company with few or no operations) acquires a private operating company and the private company effectively takes over the public company. It is a quick and cheap method of obtaining a public listing without having to carry out an initial public offering (IPO), and does not require compliance with U.S. Securities Act registration requirements. Typically, the management of the private company takes over the management of the public company and the shareholders of the private company become the majority of the shareholders in the public company.

In recent years, there has been a surge in Chinese companies accessing the U.S. capital markets by means of a reverse merger. The U.S. Public Company Accounting Oversight Board (PCAOB) has identified 159 companies from the China region that entered into a reverse merger in the U.S. from 1 January 2007 to 31 March 2010. Market capitalization of these companies was some $12.8 billion U.S. as compared to $27.2 billion of those Chinese companies that completed IPOs in the U.S. during that period. In the last 12-24 months, there has been a significant increase in regulatory investigations and securities litigation against such companies and their advisers.

What’s Gone Wrong?
Chinese companies have been involved in reverse mergers in the U.S. for over a decade. So why is it only now that problems with these companies are emerging and they are being named in so many U.S. regulatory investigations and class actions?
Short sellers have had a major impact. Short selling is the practice of borrowing securities from a third party with the intention of paying them back at a later date. The short seller makes a profit if the securities fall in value between the date borrowed and repaid. In the last couple of years, a number of short sellers have targeted Chinese companies as an easy way to make money. The highest profile short seller targeting Chinese companies is Carlson Block who runs Muddy Waters LLC, a company whose name is based on the Chinese old proverb, “muddy waters make it easy to catch fish.” In other words, opacity creates opportunities to make money. Muddy Waters and a number of other short selling companies claim to carry out independent research into Chinese companies listed in the U.S. and produce reports making various allegations about the legitimacy of the business in question and its financial position. This trend started in June 2010 when Muddy Waters issued a report on Orient Paper alleging it had overstated revenue and misappropriated funds. Further reports have since been produced by Muddy Waters, and others, and more are expected.

Whenever a short seller report is published, the value of the stock of the company in question tends to plummet. Sino Forest is perhaps the best example-its stock dropped by 70 percent in 2 days following Muddy Waters’ report. Short sellers tend to take a short position in the company’s shares shortly before releasing their report and invariably make a lot of money as a result of the subsequent drop in the stock.

Litigation
A surge in U.S. securities class actions against Chinese companies has followed in the wake of the short seller allegations. In 2011, investors filed 39 securities class action lawsuits against Chinese companies, accounting for almost 20 percent of all securities class action filings. These class actions tend to follow the same pattern, relying heavily on the short sellers’ report to allege fraudulent misrepresentations and inadequate disclosures regarding discrepancies in financials reported by the company to U.S. and Chinese authorities, improper transactions between related parties and the company’s operations and business prospects.

Implications for Insurers
Up until a few years ago, writing D&O insurance of Chinese companies seemed somewhat of a benign risk. With no class actions in China or Hong Kong, exposure was limited. The U.S., where many of these companies have sought capital in recent years, is a totally different environment.

Exposure
Very few U.S. securities class actions go to trial; around 35-40 percent are dismissed and the majority of the rest are settled. It was initially thought (and hoped by D&O insurers) that, due to the lack of substance in the complaints against Chinese companies (which often merely repeat allegations made in a short sellers’ report), most of these claims would be dismissed at an early stage. However, based on the limited number of rulings to date on motions to dismiss involving these types of complaints, this may be unlikely in the majority of cases.

In a case brought against Orient Paper Inc. ( Henning v. Orient Paper, 2011), the U.S. District Court for the Central District of California refused to dismiss the plaintiffs’ securities fraud claims. Significantly, the court’s July 2011 decision found that the plaintiffs could rely upon a short seller’s report to support their allegations of securities fraud, and that allegations of related party transactions supported a finding of scienter under the Exchange Act.

In a case against China Education Alliance, where the plaintiff also relied heavily on a short seller’s report, the court reached a similar conclusion in an October 2011 decision.Relying on the Orient Paper decision, a different federal judge in the Central District of California found that the facts that the individual authors of the report were not named and that those individuals were self-interested were not grounds for dismissal of plaintiffs’ claims. Further, the court found that, viewed “holistically” rather than individually, plaintiffs’ allegations (based on an online short seller report) adequately alleged scienter.

The Orient Paper and China Education decisions demonstrate that investors’ class action lawsuits can survive early strike-out applications by the defendant company or its former advisers. As many of the securities class actions against Chinese companies are based on similar allegations, investors may be able to obtain early settlements from defendants seeking to avoid the publicity risk, cost of discovery and a full length trial (which, if the defendants lose, could set an unhelpful precedent for them).

Two other cases, however, demonstrate that in certain circumstances, complaints can be dismissed at an early stage. In a securities class action brought against China North East Petroleum in the U.S. District Court for the Southern District of New York, the court found in an October 2011 decision that the alleged misrepresentations could not have caused a loss because the stock price rose after disclosure of the alleged fraud and plaintiffs had the opportunity to sell their shares at a profit. This ruling would be distinguishable from cases against many other Chinese companies where share prices dropped upon disclosure and did not rebound.

Most recently, a third judge in the Central District of California granted a motion to dismiss a securities class action against China Century Dragon Media. As the plaintiffs’ claims under the Securities Act sounded in fraud, the plaintiffs were required to meet the heightened pleading standards applicable to securities fraud. The court found that allegations that the revenue and profit numbers reported to the SEC in the prospectus for the company’s U.S. IPO were significantly greater than those it reported to the SAIC in China were insufficient. The differences between the numbers provided to the SEC and SAIC merely raised the possibility that the SEC figures were false, but did not “suffice to make that claim plausible.” Notably, this decision was without prejudice and plaintiffs will have another opportunity to plead fraud with sufficient particularity in an amended complaint.

Avoidance
In some of the cases, the allegations made against the Chinese company go back many years. This triggers concerns about non disclosure and misrepresentations and insurers faced with large claims may want to query whether the insureds knew of the underlying facts relating to the wrong-doing prior to placement. This may be difficult to establish, and some policies contain severability of knowledge or innocent non disclosure wording.

Coverage
In investor and regulatory actions against Chinese companies, the remedy under applicable U.S. securities law may be rescissory damages, disgorgement fines and penalties. Not all of these will fall within the definition of “Loss” in insurance policies, although there is no standard D&O policy used and the terms and conditions vary between insurers. The exclusions which are relevant to these types of claims are obvious, being dishonest, criminal or fraudulent acts, unlawful gain or improper personal profit. All of these tend to require a final adjudication, so insurers may still have to fund defence costs in the interim period.

Defence Costs
The complexity of the cases, and the difficulties of dealing with transnational litigation, such as collecting evidence overseas or translating Chinese documents, make this type of litigation particularly expensive. If, as suggested by the Orient Paper and China Education Alliance cases, the U.S. courts are unwilling to dismiss these types of claims at an early stage, policy limits could be blown by defence costs alone.

Conclusion
Of course, not all Chinese companies traded on U.S. exchanges, whether by a reverse merger or a traditional IPO, are fraudulent companies, and as demonstrated by the China North East Petroleum and China Century decisions, defendants may have strong arguments for an early dismissal of securities class actions. Nevertheless, Chinese companies are being targeted by plaintiffs and regulators whether or not they are legitimate businesses, and insurers of U.S. listed Chinese companies, their directors and officers and advisors could face significant exposure in defending and resolving securities class actions. If a short seller produces a negative report on a U.S.-traded Chinese company and its share price collapses, a securities claim or SEC investigation is almost inevitable. With almost 500 Chinese companies listed in the U.S., and now, with Sino Forest, an indication that Chinese companies listed in Canada may be targeted as well, D&O insurers of Chinese companies listed in North America may be in for a rough ride in the coming years.

 

Editor’s Note: 

This article originally appeared in the January 2012 PLUS Journal.

Filed in Law Risk Management,Liabilities | No replies

Law Office & Trust Account Management

Published on February 8, 2012

By Kurt W. Krauss and Paul E. Paray

Bradford Bleier, a unit chief in the Cyber Division of the FBI, offered up the obvious in November 2011 at the 19th Annual Review of the Field of National Security Law: “Law firms have tremendous concentrations of really criti­cal private information” and breaking into a firm’s network “is a really optimal way to obtain economic and personal security information.”

Yet, despite this attraction, law-firm data breaches rarely hit the papers. Thankfully for law firms, it seems that low-hanging fruit with larger stores of data have taken the attention of crimi­nals — leaving only sporadic report­ed incidents such as the cyber attacks against Gipson Hoffman & Pancione in Los Angeles after the law firm represented software maker CYBERsitter, LLC, in a $2.2 billion software piracy action filed against the People’s Republic of China and seven major computer manufacturers. It may be that law firms are less focused on data security than financial institu­tions and health-care organizations, which routinely report breaches, and, as a result, law-firm breaches may go undetected. Those breaches that are discovered, how­ever, may not require disclosure if the exposed information is not the type that triggers notification obligations under the statutes. 

New Jersey’s data breach notifica­tion law, N.J.S.A. 56:8-161-166, requires law firms to notify only when the breach involves Social Security numbers, driv­er’s license numbers or financial account information that includes a security code — the sort of information many law firms never need to obtain in the first place. Moreover, even if a breach required noti­fication, a managing partner’s security concerns might not hit fever pitch given that suits arising out of a breach rarely survive motion practice. For example, see Reilly v. Ceridian Corp., 2011 U.S. App. Lexis 24561 (3d Cir., Dec. 12, 2011), finding that “allegations of an increased risk of identity theft resulting from a security breach” are insufficient stand­ing alone to secure Article III standing (affirming dismissal of claims brought by former employees of a New Jersey law firm after the firm’s payroll processor was breached). Even if a lawsuit stemming from a data breach may ultimately be dismissed, most firms would still prefer to avoid the reputational damage that easily could flow from a publicly disclosed data-breach incident.

Many New Jersey firms would ben­efit from evaluating their network secu­rity and privacy processes and protocols. Procedures that apply to protecting per­sonal information would equally apply to protecting other sensitive information — from strategy for an upcoming trial to plans for a client’s patent prosecution.

IT Due Diligence for Law Firms

Safeguarding client data already is deeply rooted as an ethical requirement. Under New Jersey’s Rules of Professional Conduct, RPC 1.6(a), a lawyer generally “shall not reveal information relating to representation of a client unless the client consents after consultation ….” This firm­ly entrenched confidentiality obligation couples with other ethical duties to create an internal as well as external digital risk framework:

  • RPC 1.1(a): “A lawyer shall not [h]andle or neglect a matter entrusted to the lawyer in such manner that the lawyer’s conduct constitutes gross negligence.”
  • RPC 1.9(c)(2): “A lawyer who has formerly represented a client in a mat­ter … shall not thereafter … reveal information relating to the representa­tion ….”
  • RPC 5.3: “… every lawyer, law firm or organization authorized by the Court Rules to practice law in this jurisdic­tion shall adopt and maintain reason­able efforts to ensure that the conduct of non-lawyers retained or employed by the lawyer, law firm or organization is compatible with the professional obligation of the lawyer.”

Understanding that “the problems of unauthorized access to electronic platforms and media (i.e., the problems posed by ‘hackers’) are matters of common knowl­edge,” the New Jersey Advisory Committee on Professional Ethics built on this existing ethical framework in its Opinion 701, 184 N.J.L.J. 171 (April 10, 2006). Specifically, in approving a firm’s document digitization efforts, the committee had the occasion to opine on an attorney’s obligation to safe­guard client data from a data breach or loss. The committee first acknowledged that the “obligation to preserve client confidences … requires that the attorney take reason­able affirmative steps to guard against the risk of inadvertent disclosure.” It also reaffirmed that a lawyer is required to “exercise sound professional judgment on the steps necessary to secure client con­fidences against foreseeable attempts at unauthorized access.”

Recognizing that what constitutes proper safeguards under the rules “may be informed by the technology reasonably available at the time to secure data against unintentional disclosure,” the committee not-so-subtly imposes an IT due diligence obligation on law firms. As for vendors, the committee did not read the rules “as imposing a per se requirement that, where data is available on a secure web server, the server must be subject to the exclusive command and control of the firm through its own employees.” According to the com­mittee, “reasonable care” against unauthor­ized disclosure is exercised when “(1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data.” Other states have reached similar conclusions when dis­cussing the acceptable use of IT providers. See, Fla. Bar Op. 06-01 (April 10, 2006); NY Bar Op. 842 (Sept. 10, 2010).

Evaluating the Risks

Although it is too early to tell whether 2012 will see an increase in law firm digi­tal exposures, law firms may benefit from evaluating vendor controls, policies and procedures for acceptable use of social media and reviewing smartphone security.

Vendor Engagements

According to the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, 29 percent of all breaches are caused by third-party negligence. Thus, with vendors such as copying services and the like being used by law firms, it is a good idea to keep in mind the New Jersey Advisory Committee on Professional Ethics’ requirement that vendor agree­ments have an “enforceable obligation to preserve confidentiality and security.” A law firm also could consider better evaluat­ing the background of vendors that process or hold its sensitive data. It also pays to find out early if the vendor understands data security issues and has a process in place to safeguard the firm’s sensitive data. The adage “trust but verify” is a useful concept, especially if audit rights are built into the vendor engagement. 

It also makes sense to ask vendors for an insurance clause in their contracts, requiring certain minimum insurance cov­erage, including network security and pri­vacy insurance that covers liability expens­es related to a breach incident as well as forensics and notification expenses. On that note, it may also make sense for a firm to evaluate such insurance for itself, given coverage would be triggered even if the data thief was the third-party provider. The underwriting process is also a good inde­pendent and cost-free check on a firm’s security and privacy processes.

Social Media Policy

How a law firm addresses social media use can assist in mitigating digital risk exposures. The first two sentences of the New Jersey Supreme Court opinion in Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (2010), nicely underscore the difficulty all firms have in curbing online activities: “In the past twenty years, businesses and private citizens alike have embraced the use of computers, electronic communication devices, the Internet, and e-mail. As those and other forms of tech­nology evolve, the line separating business from personal activities can easily blur.” Unfortunately, this blurring of online social and business activities creates newfound security problems for firms.

As noted in a July 2011 study by the Ponemon Institute, a company’s increase in social media use directly relates to increas­es in a company’s risk for viruses and malware. Indeed, the study found that more than one-half of the businesses surveyed reported an increase in cyber attacks as a result of employees’ use of social media networks. Further, only 35 percent of firms worldwide had a social media “acceptable use” policy in place, and of those, only 35 percent actually enforced it. Social media “acceptable use” policies are complicated by free speech rights and blurring of the lines between business and social activi­ties. In this context, care must be taken in drafting social media policies to minimize difficulties that may result when enforce­ment is undertaken. Training concerning the risks associated with social media may also help law firms to reduce risk.

Some law firms may find that having a comprehensive policy that applies to inter­nal as well as external use of social media can go a long way in helping to avoid data breaches. For example, hackers may start out by compromising a perceived trusted relationship, such as a social media con­nection or family member’s e-mail address, to lure a victim into clicking on an image or website laden with malware. Not sur­prisingly, criminals often set up false social media profiles to gather the information necessary to launch more targeted attacks.

For now, a good way to combat the threat of cyber attacks based in compro­mised trusted relationships is to educate employees about these risks. Some firms may decide to put written policies and pro­cedures in place to limit usage and result­ing risk. Others may determine that access at work to social media, such as Linkedin, is important to the firm’s reputation and business. Also, many law firms routinely view social media use by opposing parties, as well as by other lawyers and business partners, just as they would analyze other publicly available information about busi­ness partners and opponents. There is no one-size-fits-all solution to social media issues, but it is worthwhile for a law firm to consider these issues and make informed decisions concerning them.

Smartphones

Most IT managers are well aware of the harm that can result when a laptop is lost or stolen, and as more lawyers use smartphones, the evolving technology presents new challenges. When a smart­phone is lost, stolen or accessed with­out authority, the amount of data that is compromised can be significant. Cyber criminals look for comparatively easy access points, and smartphones may be a weak spot in a firm’s information security. A study conducted by market researcher Ovum and the European Association for e-Identity and Security found that half of the organizations surveyed fail to authen­ticate their employees’ mobile devices, among other basic security measures. 

One way to enhance smartphone secu­rity is to use a strong password (not surpris­ingly, including a capital letter and number or character increases the strength of pass­words) and change it at regular intervals. Training users to delete suspicious e-mail, in the same way it is done on a laptop or work computer, further enhances smart­phone security. Evaluation of antivirus pro­tection also may be worthwhile. In addi­tion, using the screen saver feature with a password will lock down a smartphone in the same way laptops are locked down. More advanced security features that may be appropriate, depending on the intended use of the smartphone, include remote wip­ing applications, encryption and data leak prevention tools. 

Reasonable Steps

Theoretically, there is always more that could be done to strengthen a firm’s defenses and procedures. No system is bullet-proof, as cyber criminals continu­ally adapt to the ever-changing environ­ment in which they operate. As a result, no firm’s information can ever be 100 percent secure. In this context, the reasonable steps that a firm takes to secure information are relevant from both a client relations perspective and an ethical perspective. By committing resources now to evaluate the safeguards currently in place, firms are not only doing the “right thing” but also lessening the likelihood that they will be a party on the wrong side of a civil complaint or ethics grievance.

207 N.J.L.J. 337 NEW JERSEY LAW JOURNAL, FEBRUARY 6, 2012 2

Krauss is a partner and Paray is of counsel at the Florham Park office of Wilson, Elser, Moskowitz, Edelman & Dicker LLP. Krauss has extensive litiga­tion experience handling complex cases in the area of commercial and business disputes. Paray is a commercial litigator who also counsels clients on managing technology risk.

Reprinted with permission from the FEBRUARY 6, 2012 edition of New Jersey Law Journal. © 2012 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.

Filed in Law Risk Management,Secruity and IT | No replies

Data Breach: Risk Management considerations and best practices

Published on September 9, 2011

Credit: Swiss Re Lawyer’s Professional Liability Risk Management Newsletter – Summer 2011

Daily headlines reporting new data breaches have become the norm.  Companies such as Sony, Citicorp, TJX, Epsilon, just to name a few have recently had publicized data breaches..  A recent Ponemon Institute¹ survey of 583 US companies showed that 80% of the companies had their computers hacked at least once in the past year – and of this, 10% reported they didn’t know if they had been hacked!  Even more frightening, 59% reported they experienced two or more breaches in the past year.  The average cost of a data breach for each compromised record is $214.  This doesn’t include potential fines and sanctions associated with HIPAA/HITECH and other regulatory violations.

You may think that because you are not a large corporation, no one will bother hacking your computers.  But law firms are a repository of confidential and personal information of their clients making them attractive targets.  A recent FBI advisory warns that law firms are increasingly the targets of hackers using spear phishing e-mails with malicious payloads.  This happens when a lawyer receives an email, appearing to originate from a trusted source, with an attachment name and message body crafted to relate to the firm’s specific business interests.  Generally, opening the email will not directly compromise the system or network.  Infection usually occurs once someone opens the attachment or clicks the link in the email which launches a self-executing file and attempts to download another file.  The malicious file does not necessarily appear as an ‘exe’ file in each incident. On occasion, the self-executing file has appeared as other file types, e.g., ‘.zip’ or ‘.jpeg’.   Attached below is a recent example sent to one of our law firms.

Malicious attacks are not the only way your clients’ data could be compromised.  Simple negligence is the source of security and privacy breaches 40% of the time.  Loss of laptops, mobile devices and flash drives present a palpable risk. Simply emailing a document to the wrong person can cause a breach.  Utilizing cloud computing is yet another risk vector. Services such as gmail, yahoo mail and drop box store your information on external servers. A hack into one of them could compromise your data.

Another Ponemon Institute study revealed that only 25% of the respondent cloud providers felt that their company considers security as one of their most important responsibilities.  Most (90%) felt that reducing costs was the consumer’s motivation for migrating to a cloud service.

Best practices to mitigate and reduce your risk of Data Breach

Here are some best practice ideas. Please feel free to share with us any others that have worked for you and your firm.

Data collection: Only collect the data necessary to do your job. Once you have collected data, keep it only as long as required.  If it is necessary to archive the information, ensure you have a policy in place that limits who can access it.  Inside threats exist and can be more difficult to detect and defend.

Electronic data destruction: When it is time to get new computers, photocopy machines or fax machines, be sure all client data is deleted properly on the retired devices.  Review the instruction manual that came with the machine for how to effectively “wipe” the machine clean of all data.  It may be necessary to physically destroy the hard drive.

Paper records destruction: Dumpster diving is alive and well. Shred any document containing any personal identifiable information (a name associated with a credit card number, social security number, driver’s license number, medical insurance information number, financial account information, etc.) using a cross strip shredder so that it cannot be reconstructed.

Data on the move: Encrypt all client data when it is transmitted electronically via email.  Many email programs allow you to encrypt an email with the click of a button.

Laptops: All laptops should be password protected.  Your passwords should be at least 8 characters long, include upper and lower case letters as well as numbers. They should also be hard for someone in your office to crack.  So, your dog’s name is not a good choice – but utilizing the first letters of the words in a sentence is a much better option. For instance, “I love Justin Bieber forever and ever” would be “IlJB4eae”. Personal health information and personally identifiable information as well as any confidential client information should be encrypted. Laptops should all have hardware or software encryption. Truecrypt.org offers a robust, free, open-source encryption utility.  Also, consider geo-location software that allows you to securely delete data on the device if you lose it.

Mobile devices: Passwords are like toothbrushes.  Don’t let anyone use it and change it regularly.  Make sure all mobile devices are password protected. Yes, it is a pain to have to punch a password in every time you check your smartphone or tablet but you will be grateful for this small inconvenience if your device is lost. Also consider not allowing access to your network via these devices. That way if the smartphone is lost and accessed, the data breach will be limited to what is on the device alone. Geo-location software with remote delete is recommended for mobile devices.

Flash drives: Flash drives are small and powerful – several gigabytes of memory is not uncommon.   These qualities make transporting data a breeze but they are easy to lose and a huge data breach risk.  Best practice is to require all flash drives to not only be encrypted but password protected.  Flash drives like IronKey self destruct if an incorrect password is attempted more than ten times. Truecrypt can also be used to encrypt any flash drive.

Viruses and malware: Social media is rife with viruses and malware.  Make sure you do not download any unknown files from these sites. Also be aware that this is another source for hackers to attack.  Keep your antivirus and malware software up to date and set it to scan your systems automatically: preferably daily but at least weekly and anytime your system appears to be running slow. Commercial antivirus software is generally superior to free software.

Cloud computing: Cloud computing is very attractive to small law firms as the cloud provider typically serves as an IT department by maintaining software licenses, regularly updating the software and security patches.  As compelling as the economics may be, consider the following before deciding to engage a cloud provider:

  1. Where the data is being stored? A service provider may move your data to another jurisdiction with less stringent privacy laws than your state or require more stringent regulations than your state.
  2. What type of encryption is utilized?  When entering into a Service Level Agreement verify that the cloud provider uses WPA encryption.
  3. What happens to your data if the cloud provider goes out of business?
  4. Review the contract to confirm that the cloud provider does not disclaim or limit liability for a breach due to their negligence in the Service Level Agreement.
  5. What sort of redundancies and continuity plan does the cloud provider have in place?
  6. How long is your data retained?
  7. Who at the cloud provider has access to your data? Are they background checked? Bonded?
  8. Will the cloud provider assist you in complying with HIPAA/HITECH and other privacy regulations?

Educate all your employees: Create a written comprehensive computer and Internet usage policy for all employees to read and acknowledge. They need to understand the seriousness of a breach, where the risks lie and how to avoid them. For your reference, click here to take a test to see how well you and your staff can identify phishing.

Educate yourself: You should keep up to date about basic technologies to protect client data and consider it part of your duty as an attorney. The International Legal Technology Standards Organization (ILTSO) is a group of lawyers, IT professionals and business leaders who have endeavored to create a set of technology standards to provide guidance for lawyers. One of their goals is to build standards that any sized law firm can adopt and avoid the burden of various individual state standards. Click here for  current standards.

Follow notification laws: Be aware that 47 states have data breach notification laws with strict timing requirements for notification, often within 60 days.  Be sure you are familiar with your state’s requirements. Click here for link for all states.

List of jurisdictions and data breach notification laws:

Business continuity plan: When a breach occurs, time is of the essence. Therefore, it will be easier to deal with it if you have a plan ready. This might include pre-negotiating terms with a forensic data recovery company (such as Flashback Data) and a data breach notification company (such as Debix), identifying a response team, developing a communication plan for clients and understanding your state’s notification laws.  See the Debix Data Breach Incident Response Workbook below.

Practicing law isn’t the same as it was even 20 years ago.  Technology has made so many things easier but at the same time many things are now more complicated.  Though technology is daunting for most lawyers, keep in mind that sometimes it is the simplest practices that are the most effective.  Using effective passwords, knowing how to properly maintain and destroy data and basic awareness of new laws and requirements are simple things that will help you avoid data breaches

Referenced links:

Example of malicious email sent:

Ponemon Institute : Perceptions about Network Security, Sponsored by Juniper Networks, June 2011

List of jurisdictions and data breach notification laws: Security Breach Notification Laws

ITLSO Standards

Debix Data Breach Incident Response Workbook: link to the .pdf here

FBI Cyber Security Guidance Poster

FBI Report Suspicious Cyber Incidents Poster

Test yourself and your staff.  Click this link to see if you can identify phishing

¹Ponemon Institute conducts independent research on privacy, data protection and information security policy. ponemon.org

 

Filed in Uncategorized | One reply

The segregation of professional risk in an accounting firm

Published on March 31, 2011

Due to the competitive nature of the insurance marketplace, insurers have broadened the scope of professional liability insurance available to CPAs in order to address the expanding exposures of multi-disciplinary practices and accommodate the creation of new practice-specific subsidiaries. This expansion, however, brings with it a series of new risks which have the potential to detrimentally impact a standard policy and erode coverage that would otherwise be available for more conventional areas of practice. The most common, and relatively new, area of practice to be added to coverage is Personal Financial Planning [“PFP”].  Traditionally, this practice involves broad based investment planning and asset monitoring services for a fee, but recent developments on micro and macro levels have begun to undermine the once-perceived, simple and benign nature of the work.

Previously, the largest claims against CPAs arose from attestation services – that is, failure to detect fraud. While infrequent, these claims were often catastrophic and costly.  Since the melt-down of the financial markets the number and magnitude of claims arising from PFP has increased dramatically. Ranging from higher profile (Bernie Madoff, and “Mini-Madoffs”) to lesser known financial scandals, there have been several large claims.  PFP claims commonly arise from:

Ø  Failure to undertake adequate due diligence for an investment.

Ø  General market conditions and portfolio value fluctuation.

Ø  Conflicts of interest – using affiliates or owned investment vehicles.

Ø  Specific types of investments: REITs, Options, “Alternative” Investments, Limited Partnerships or Hedge Funds.

Ø  Failure to properly advise on the tax consequence of an investment scheme.

Ø  Claims arising from a particular product promoted by an adviser.

Ø  Fraudulent investments or Ponzi schemes.

Ø  Failure to meet Fiduciary standards.

Each type of claim has the potential to cost a CPA millions of dollars, and destroy their practice.  Some of the larger claims that have been seen have been as much as $5,000,000.

As mentioned previously, the downside to expanding coverage to include PFP is that any claim from this service has the potential to reduce or even completely use up, coverage for conventional areas of practice.  This means less, or no, coverage for Audit, Review, tax and bookkeeping services, etc., and at the time of writing, no insurer of conventional accountants’ professional liability insurance has offered a separate limit of liability for PFP services.  Also, the PFP subsidiary may have additional non-CPA owners which can risk the conventional coverage by their conduct.  An affiliated Broker-Dealer may not accept the conventional coverage as sufficient proof of coverage and press the firm into purchasing coverage via a sponsored shared limit program.

There are, however, several options for specific professional liability coverage for investment advisers and financial planners.  If the PFP practice is managed as a specific business unit, and/or ideally as a wholly owned subsidiary, it is possible to purchase relatively low-cost coverage.  This coverage can also be expanded to include activities as a Registered Representative, Life Insurance Sales and Fiduciary roles.  Unlike coverage for Registered Representatives and Life Agents offered via Broker-Dealers and Life Insurers, it does not share coverage between thousands of representatives or agents, is completely controlled by the CPA, portable, and not tied to any other coverage. If structured correctly, claims that arise from PFP services will be covered by the separate policy and will have no impact upon their accountants’ professional liability coverage.

Independent coverage for PFP can also bring other advantages:

Ø  The coverage often includes Cost of Corrections, which means incidents that might have the potential to develop into a claim are fixed quickly and early.

Ø  There is often affirmative coverage in the definition of services (as opposed to stating that services are not excluded), including activities as a Fiduciary.

Ø  Separate PFP coverage can be written with a reduced deductible and tailored endorsements to add special features to the policy.

Ø  Coverage may be written as excess over mandatory coverage provided by an affiliated Broker-Dealer and/or drop-down primary coverage for other (Fiduciary) activities.

While broadening the definition of professional services seems beneficial on paper, the inherent risks that it presents to a practice as a whole suggest that the best course of action is to address change specifically with care and attention and not simply rely on what is convenient.

Rickard Jorgensen is one of the founders and Chief Underwriting Officer of CPAGold™, a professional liability insurance program for accountants established in 1989 and a specialist insurance agent and consultant.  He can be contacted at (201) 345 2441 or rjorgensen@jorgensenandcompany.com.

Filed in Accountants' Risk Management | One reply

Intellectual Property Basics for the Practicing Accountant: What You Need to Know and Why

Published on September 13, 2010

By Maureen L. Veterano, Esq.

Intellectual Property (IP) is a significant asset for an increasing number of companies, but many of them know little about how to protect it or how to manage it. Small and medium sized businesses have always relied on accountants for business advice, and as such practicing accountants are finding themselves fielding more and more questions on the topic. Those who have taken the time to understand the basics will be in a better position to offer their clients an additional value added service and stand out from the competition. This article will provide a basic overview of the most typical types of IP accountants will need to know about, and provide a checklist to follow when meeting with clients.

The Increasing Importance of Intellectual Property

FASB has previously recognized the value of IP in the new economy, beginning with the issuance of FASB Statement no. 141, Accounting for Business Combinations, and Statement no. 142, Accounting for Goodwill and Other Intangible Assets which require companies to report goodwill and intangibles separately, disclose intangible asset classes and provide the estimated useful lives of the intangible assets in financial statement footnotes. There are many reasons IP is important to a business. Primarily, it allows them to exclude others from doing something that interferes with or competes against them. Licensing and royalty payments also offer opportunities for additional revenue. Additionally, the proper valuation and management of IP assets may enable them to be used as collateral when obtaining financing or investors. Infringement litigation is always a possibility, and since intellectual property lawsuits are among the most expensive types of litigations, companies need to be aware of what their risks are and make sure that adequate IP insurance is in place.

The Most Common Types of Intellectual Property

The most common types of IP that accountants will run across are patents, trademarks, and copyrights. A patent is a set of exclusive rights granted by the government to an inventor or their assignee for a limited period of time in exchange for a public disclosure of an invention. It is the right to keep others from making, using or selling the invention, and can cover products or processes and even some business methods. (For example the Amazon one click shopping cart). A trademark is a distinctive sign or indicator used by an individual, business organization, or other legal entity to identify that the products or services to consumers with which the trademark appears originate from a unique source, and to distinguish its products or services from those of other entities. They should be registered, but a company can establish rights to a mark by use. Copyright is the set of exclusive rights granted to the author or creator of an original work, including the right to copy, distribute and adapt the work. A copyright can exist without being registered; however it must first be registered in order to be enforced. Copyrights are registered by the US Copyright office, whereas the United States Patent and Trademark office handles only the patents and trademarks. Patents can be either utility, plant, or design. There is also a provisional patent application, which is valid for only twelve months before it must be converted into a regular application. The fee is significantly lower and can establish an early effective filing date.

Questions to Address in the Client Meeting

*Does the company own any IP? An inventory of the IP is the first step towards determining the opportunities to generate value, and categorizing the IP will be beneficial in the event the valuation process needs to be done.

*Is the company a licensor or licensee of any IP? If so, are the agreements being enforced and is the company receiving payments? License and royalty agreements are included in FASB statement no. 141 as examples of intangible assets that must be recognized apart from goodwill. If the company is making payments, are they still using the technology?

*Are they involved in any intellectual property litigation, or is it being contemplated? If so, this could indicate there is IP that may require a separate valuation for allocation purposes. The company should also be advised to consider standard risk management practices, including insurance coverage for infringement litigation.

*Does the company have IP that is new, newly acquired, or not yet protected? Is the company using technology that may be covered by another’s IP? It is helpful to review how much money has been invested in the technology and determine whether the company has cash flow projections or cost benefit analyses that value the technology for internal purposes. If the company does not carry insurance to coverage infringement litigation and damages, an assessment should be made as to the company’s ability to absorb the costs of a lawsuit while maintaining operations. Accountants will continue to fill the vital role of trusted advisor for their business clients, and intellectual property will inevitably continue to be an increasingly important asset to identify and protect.

Ms. Veterano is a patent attorney and underwriting manager at Intellectual Property Insurance Services. For over twenty years IPISC has been the industry leader providing insurance coverage for infringement risks. She can be reached at MVeterano@patentinsurance.com

Filed in Accountants' Risk Management,IP Law | One reply

Importing liabilities from new hires

Published on April 1, 2010

by Rickard Jorgensen

A recent (April 1, 2010) article in Investment News drove home the point that firms should be extra cautious when taking on new advisers.

A very prestigious advisor firm is being sued over feeder funds investments made in an alleged ponzi scheme.  The claim arises from an employee placing clients in investments that turned out to be fraudulent.  The investments were made by a new hire, prior to the individual advisor joining the firm and under normal circumstances would not have met the firm’s rigorous risk management guidelines for client investments. 

However, the firm included these investments on all clients’ account statements issued after the advisor was hired, so attorneys for the clients contend that the firm approved these investments.  The advisor also told clients that the investments were safe and secure.  The firm stated: “These are legacy investments predating Mr. ** joining (us)”.

The claims may exceed several million dollars.

There are a few things to learn from this:

  1. When taking on a new advisor there should be an independent review all acquired client’s investment portfolios;
  2. Before hiring the new advisor do a exhaustive employment search and personal history review and if possible use an outside vendor to insure accuracy and completeness;
  3. Any deficiencies unidentified in the quality of portfolios should be addressed quickly;
  4. Clients should be made aware that any deficient investments are not recommended or approved by the firm and written acknowledgement secured;
  5. Steps should be taken to terminate the deficient investments and move funds to another more appropriate investment vehicle;
  6. Minimum risk management standard should be set and rigorously enforced.   Failure to adhere to internal rules can result in a legal liability exposure.
  7. When interviewing new hires a firm should try and discover the existence of any deficient investments before a job offer.

Clients can and will sue.  But the foregoing may ameliorate the possibility of a lawsuit and reduce the potential damages.

Filed in Accountants' Risk Management,Liabilities | No replies

Beware the God of Lightning!

Published on March 30, 2010

by Rickard Jorgensen

This past week (March 12, 2010) a new version of the password stealing Botnet was unleashed upon the world.  This new form of the malware Zeus, infects PCs, waits for victims to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and Transaction Authentication Number’s, etc.

Zeus Virus is understood to be the biggest culprit among the family of malware targeting the financial websites and institutions. According to some of the studies, as much as 44% of all financial malware are based upon Zeus.

Recently we saw a claim where an accounting firm was infected.  The Botnet infected a computer at the accounting firm that was used to facilitate bank transfers on behalf of clients, to various vendors.  Via Zeus, bogus transfers were made to banks in China before the bank realized the theft and froze the account.  The firm is facing a potential malpractice claim and has a very upset client.

There are some steps that can be taken to protect the firm:

  • Update all anti-virus and anti-spyware software on all computers, frequently and make sure it can detect Zeus malware infections:
  • Ensure fund transfers are made from a “dummy” account set up specifically for that purpose and ensure no automatic transfers are allowed from any operating accounts:
  • Give standing instructions to the bank to freeze any transfers to suspicious locations (Eastern Europe or the Far East seem to be favorites);
  • Check that the bank has all appropriate security checks to avoid this type of theft occurring;
  • Provide the bank with a list of approved vendors that will receive transfers of funds and request they seek written confirmation of any deviations from this list;
  • Seek appropriate insurance coverage for fraudulent funds transfer, including client funds; and,
  • Educate staff about the imprudence of clicking on strange email links, downloading files and email attachments and opening emails from unknown senders.

As the criminals get more clever and sophisticated it is hard to defeat every attack.  However, making every reasonable effort to protect your systems and client data and assets, will be the best defeat in a malpractice lawsuit.

Filed in Accountants' Risk Management | No replies

Affirmative Conduct Engagement Letters

Published on March 25, 2010

By Rickard Jorgensen

It is an axiom of good accounting business practice that an engagement letter should be obtained before commencing an assignment.  Engagement letters are fundamental in the defense of a malpractice lawsuit

However, in this world of profitability constraints and increasing workload it is tough to track and enforce engagement letters, especially for small fee assignments like preparation of personal tax returns.  Often clients avoid or forget to sign an engagement letter and it is costly to pursue.

An option to pushing for a signed engagement letter for simple assignments may be the use of an Affirmative Conduct Engagement Letter.  This letter is an attachment to the Tax organizer, does not require a signature and creates a clear contract with the client including all of the important terms of the engagement.  

Ralph Picardi, Esq, specialist in Accountants Professional Liability and author of, The Accountants Risk Management Handbook, Mara Press, Inc 2002, gives the following insight on Affirmative Conduct Engagement Letter.

A signed engagement letter is by far the best course of action in any engagement.  By obtaining the client’s signature on an engagement letter, the firm creates a clear contract with the client including all of the important terms of the engagement.  Most firms, however, have a very difficult time receiving back completed organizers and sufficient source documentation, let alone signed engagement letters in 1040 engagements.   Every state recognizes that contracts can be formed by something other than a signed writing.  Oral contracts and those formed by actions are examples.  In the absence of a state law requiring a signed writing (and you should check this with local counsel), the reasonableness of the communication will probably control the matter if litigation ultimately ensues.

Picardi further recommends the following approach.  The firm should continue to style its engagement letter to be signed by the client, but should also include language that purports to make the terms of the letter binding even in the absence of a client signature.  Example language would be as follows:

If you agree to authorize this firm to prepare your 201_ personal income tax returns pursuant to the terms set forth above, please execute this letter on the line below designated for your signature, and return the original of this executed letter to this office along with a completed copy of the enclosed tax organizer and the supporting documentation requested therein.  You should keep a copy of this fully executed letter for your records.  If this firm does not receive from you the original of this letter, in fully executed form, but receives from you a completed copy of the enclosed tax organizer and/or supporting documentation requested therein, then such receipt by this office shall be deemed to evidence your acceptance of all of the terms set forth above.  If, however, this office receives from you no response to this letter, then this office will not proceed to provide you with any professional services, and will not prepare your 201_ income tax returns.

An Affirmative Conduct Engagement Letter may not be the best solution to avoid malpractice claims, but it is useful and is certainly recommended over no engagement letter at all.

Filed in Accountants' Risk Management,Engagement Letters,Ralph Picardi Esq | 2 replies