Tuesday, January 28, 2014

Privacy Benefits of a Limited Liability Company

Everyone knows that a Limited Liability Company can help shield its owner(s) from liability, but did you realize that an LLC can also shield its owner(s) from prying eyes? 

photo by Roo Reynolds
LLCs are among the most useful and versatile tools in a business lawyer's toolkit, and one of the lesser-known uses of a limited liability company is to facilitate privacy for its owner(s).  In many states, including North Carolina, an LLC can be formed by an "organizer" (usually an attorney) without the signature or public disclosure of the name of the owner(s) or even the manager(s).  In North Carolina, the manager's name is not required to be disclosed until the first Annual Report is filed.  (Annual Reports become immediately public upon filing, and can be accessed for free online by anyone.)  An Annual Report is due on April 15 on the year following the year the LLC is formed.  Therefore, an LLC formed in January may have as many as 15 months before a manager must be named on an Annual Report.

Furthermore, a single member LLC can be disregarded for tax purposes, thereby creating no additional tax complications for the owner.  Because an LLC can be formed quickly, easily, and inexpensively, it can be a useful took for preserving privacy. 

We have formed LLCs to allow people to buy and sell real estate when the circumstances were such that the person's identity, if disclosed, would affect the price or otherwise cause issues.  There are a host of perfectly legitimate reasons to use an LLC for privacy purposes.

Trusts can also be used to create privacy, although they tend to be more expensive to create and slightly more complex.  Trusts may be a good solution for longer-term privacy needs, whereas LLCs can address short term privacy concerns.


Thursday, January 23, 2014

Information Security Breaches Can Be Low-Tech Too

With all the media attention focused on high-tech hackers (such as the Russian teen who reportedly perpetrated the Target mega-breach), it might be easy to forget that information security breaches are often distinctly low-tech.  They frequently occur simply because of dishonest or inept employees and contractors.

credit: dullhunk
This week, Duke Energy disclosed an information security breach of the low-tech variety.  A former contract worker was stopped by police outside Atlanta, and found to be in possession of credit card and checking account numbers of Duke Energy customers.  The suspect had worked in a call center and had handled accounts of customers whose information was found in the car.  Upon learning of the incident, Duke did the right thing by reporting and offering free credit monitoring to affected customers.  Duke also reported it would be reviewing its internal controls and procedures.

The Duke Energy incident isn't the only local (N.C.) breach arising from employee theft of data already this year.  According to the Identity Theft Resource Center's 2014 breach list, an employee of the Alamance County Department of Social Services whose job had been to investigate claims of abuse and neglect against minors and disabled adults, stole and then sold the personal information of abuse victims.  The Greensboro News & Record reported that the DSS employee sold personal information to two tax return preparers in Greensboro, who listed them on their client's returns in order to claim inflated tax refunds on the clients’ behalf.   The preparers paid the DSS employee $200 to $300 per identity. 

The lesson here is fairly straightforward: Even the best software will not protect an organization from a breach at the hands of a dishonest (or foolish) employee or contractor.  Therefore, it is important to focus not only on preventing hackers from penetrating your organization's computer systems, but also to recognize the very real possibility of a breach and establish a response plan that complies with the law and mitigates the liability and reputational risk to the organization.

When an employee obtains unauthorized access to customer information about N.C. residents, the employer must quickly determine the following:
  1. Which laws apply?  (North Carolina's general ID theft statute and/or industry-specific statutes, such as federal financial institution law or healthcare law)
  2. Does the information accessed include protected information?
  3. Has a "breach" actually occurred as defined under the applicable law(s)?
  4. Does the law require a notice to customers?
  5. What must, or should, the customer notice include?
  6. Does the law require a report to authorities?  If so, which authorities?
  7. What must, or should, the report to authorities contain?
  8. What steps can be taken to mitigate losses?
  9. What immediate steps can be taken to prevent similar incidents?
  10. What steps does any existing breach response policy require?
  11. What steps do existing contracts require, if any?
  12. Who will be responsible to take these steps?
Addressing these issues in a well-crafted policy and procedures prior to a breach can help limit losses and provide much-needed direction in the event of a breach.






Sunday, January 19, 2014

My Sincere Thanks

I would like to take a moment to thank the lawyers across North Carolina who participated in the peer review processes conducted by Business North Carolina magazine and Super Lawyers (a Thompson Reuters publication).  Thank you for your votes of confidence.  While there are many stellar lawyers who were not included in these lists, it is a great honor to be named along with the exceptional lawyers who were listed this year, including several of my colleagues at Ward and Smith

I was very honored to have been included among the Business North Carolina Legal Elite for 2013 in the "Young Guns" category (for lawyers under 40 from all practice areas).   For 2014, I was named in the "Business Law" category.  I was also named a "Super Lawyers Rising Star" by Super Lawyers in 2014, a distinction reserved for just 2.5% of eligible lawyers across the state.

What Does Inclusion in the "Legal Elite" Mean?

When Business North Carolina magazine surveyed more than 20,000 North Carolina attorneys, they asked only one question: "Whom would you rate among the current best in these categories?" Fewer than 3% of the lawyers in North Carolina were selected for the distinction.

What Does Inclusion in "Super Lawyers" Mean?
 
Super Lawyers' stated objective is to create a credible, comprehensive listing of outstanding attorneys. Super Lawyers compiles its list each year using peer nominations from lawyers around the state, peer evaluations, and independent, third-party research. Each candidate receiving sufficient nominations from across the state is evaluated on 12 criteria of professional achievement.

The selection process for the "Rising Stars" list is the same as the ordinary Super Lawyers selection process, with one exception: to be eligible for inclusion in Rising Stars, a candidate must be either 40 years old or younger or in practice for 10 years or less. The idea is that it is very difficult for young lawyers to develop a significant statewide reputation within the first ten years of practice, so a separate process is used for them. While up to 5 percent of the lawyers in the state are named to Super Lawyers, no more than 2.5 percent of eligible lawyers are named to the Rising Stars list.

To the lawyers who take the time to participate in this and other peer review surveys, I offer you my sincere thanks.  May 2014 bring you all the success and recognition you have earned!

Thursday, January 16, 2014

Is a Nationwide Information Security Law in the Works?


A nationwide "bipartisan and comprehensive approach" to information security may be making its way through the Senate soon. 

Senators Tom Carper and Roy Blunt unsuccessfully attempted in the last Congressional session to push through a comprehensive data security bill. Yesterday (January 15) they introduced a revised version of the bill, titled the Data Security Act of 2014. In the wake of the massive Target breach, it might stand a better chance of passage. 

The bill would go farther than the privacy and data security provisions of the
Gramm-Leach-Bliley Act, which have been in effect for more than a decade. It would require businesses, governments, and other organizations to take further steps to protect private information, address security breaches, and quickly notify customers of breaches than under existing law. Currently, nearly every state has privacy and data security laws that create a maze of compliance issues for organizations that are active in more than one state. One aim of the Data Security Act is to standardize the law throughout the nation.

The Data Security Act of 2014 has been assigned to the Senate Banking, Housing and Urban Affairs Committee for review. Similar bills by Senator Patrick Leahy and Senator Pat Toomey are being considered by the Senate Judiciary Committee and the Senate Commerce Committee, respectively.

You can read the full text of the Data Security Act of 2014
here


Saturday, January 4, 2014

A Resolution for Your Organization for 2014: Understand and Manage Privacy and Information Security Risks

(c) Matt Cordell
As a business owner, manager, or executive, you probably have a long list of things you'd like to see your organization accomplish in 2014.  Perhaps you've even come up with some New Year's Resolutions for your organization.  Maybe you're like most of us, and your goals for 2014 are not quite so precisely defined.  I'd like to encourage you to consider making a resolution to ensure that your organization has a firm grasp on privacy and information security issues so that you can take control of the risks they present.  You'll feel much better once you have a handle on these issues.

Recent headlines have been replete with disastrous news of privacy and information security breaches.  Target's breach, affecting 40 million credit and debit card accounts, reportedly resulted in customer information being sold on the black markets.   Millions of users of Snapchat (one of the fastest-growing social media platforms) saw their private information leaked online this week.   Living Social, Evernote, and Adobe each experienced major data breaches in 2013, resulting in tens of millions of user accounts being compromised.   Other companies reporting breaches in 2013 include T-Mobile, Travelocity, Cracker Barrell, Facebook, JP Morgan, Bed, Bath & Beyond, UNC-Chapel Hill, the federal Food and Drug Administration, and hundreds of charities, government entities, medical providers, and educational institutions.  

Records compiled by the Identity Theft Resource Center show that in 2013 there were at least 619 reported breaches affecting more than 57 million individual records.  (Most breaches are probably unreported.)  A study conducted by online risk management firm NetDiligence reported that in 2013, the average total cost to a company of a security breach was $954,253, with an average legal settlement cost of $258,099 and average legal fees of $574,984 

As diligently as companies try to prevent incidents of privacy and information security, there will always been gaps in the armor that will result in unintended disclosures, whether intentional or unintentional, internal (employee) or external (hackers).  It is unreasonable to simply assume that all of these risks can be eliminated.  Instead, it is wise to take steps now to proactively address the legal risks.   

To make it easy (okay--less overwhelming), I have created a short list that will help you get started on your way to understanding and managing your legal risks associated with privacy and information security:

1. Establish Commercially Reasonable Security Measures and Policies.  
 
Identify the most common types of threats to your organization and take commercially reasonable measures to prevent them. This should include adopting technological standards and complying with all applicable laws.  

  • You may have a sense of the risks your organization faces and the weaknesses in your existing systems, but I strongly encourage you to consult the studies of reported breaches to see what, statistically speaking, are the major sources of breaches.  You might be surprised.  For example, according to a study by NetDiligence of cybersecurity claims filed, the most common cause of an information security breach in 2013 was a lost or stolen laptop or device (accounting for more than 20% of reported incidents) followed closely by malicious hackers (accounting for more than 18% of reported incidents).
  • Review existing contracts to identify any contractual data security obligations you already have.  What standards and requirements are imposed by those contracts? Confirm that you are in compliance with contractual obligations.  For example, confirm you are complying with the Payment Card Industry Data Security Standards (better known as PCI-DSS) if you accept payments by card.  
  • Identify the best practices in your industry for organizations with similar risk profiles.  If your policies and procedures do not meet the industry standards, you are much more likely to suffer liability in the event of a breach.
  • Understand the various privacy and information security laws that apply to your organization.  (Ignorance of the requirements will not be a defense.) 
  • Establish a comprehensive privacy policy for your organization that complies with applicable laws and mitigates the organization's risk of loss.  Also establish a privacy policy statement to share with customers, website visitors, etc.
2.  Adopt a Data Security Breach Response Plan and Train Staff

Decide now how your organization will respond to a breach, and document your response plan in a writing. Involve IT professionals and knowledgeable legal counsel to ensure that the plan is feasible and complies with the law. Having a plan in place, and following it, can mitigate losses and help protect your company from subsequent liability if lawsuits or government actions follow the breach.

3.  Due Diligence on Third Parties.  

With whom are you sharing customer, client, shareholder, or employee information?  Several recent major data security breaches have taken place within third-party vendors who had no direct relationship with the customer, and the customers typically sue the company with which they have a direct relationship, in addition to the vendor. Conduct a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible.  Knowing the right questions to ask is key.

4.  Sign Only Well-Drafted Contracts

Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions.  If you merely assume that your vendors or financial institutions will make your organization whole in the event of a breach (wherever the breach takes place), you are probably mistaken.  Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data.  Involving knowledgeable legal counsel when entering into, or re-negotiating, agreements with third-party vendors that will have access to your customer's information can save potentially massive amounts of money down the road.  Even if agreements are already in place, it may be worthwhile to have them reviewed by legal counsel to (i) understand the risks, and (ii) determine whether it is necessary to attempt to re-negotiate.

5.  Cybersecurity Insurance

A number of firms now offer insurance against losses arising from data security breaches, either as a separate line or as an addition to directors and officers liability insurance coverage. This is another opportunity to spend a small amount that may ultimately save a company massive amounts later.


My hope is that this brief summary will enable you to identify the steps needed to get a firm grasp on some of the fastest-growing risks facing organizations today.  Subsequent blog posts will elaborate on some of the topics identified here.


 

Thursday, January 2, 2014

How to Prepare for a Data Security Breach Before It Happens

Don Hankins / Foter.com
Just days ago, Target released a statement confirming an information security breach affecting 40 million credit and debit card accounts.  Already, card information has reportedly flooded the black markets.  Several million usernames and phone numbers of Snapchat users were apparently leaked online this week.  It was reported that  Living Social, Evernote, and Adobe each experienced major data breaches in 2013, resulting in tens of millions of user accounts being compromised.  At least one commenter has estimated that the top five largest breaches alone in 2013 affected about 450 million user records.  If even large organizations with significant resources and tech-savvy IT companies cannot always prevent data security breaches, what are the odds your company will be 100% successful in avoiding a breach?  It seems almost irresponsible these days to assume that you can stop every attack indefinitely.  Instead, we must face the reality that an information security breach is possible, and therefore take steps now to address the risk. 
 
In April, I wrote a blog post for the North Carolina Business and Banking Law Blog on this topic.  You can read the full piece here.  Below are some key points to consider:
  • Approximately 46 states and the District of Columbia have data breach notification laws.
  • Data breach notification laws usually require a company to notify the affected customers, the attorney general, and the consumer reporting bureaus.
  • Breaches affecting a small number of customers may not be required to be reported to officials.
  • According to the Identity Theft Resource Center, a nonprofit group that tracks data security breach reports, there were 447 (reported) data security breaches reported in 2012, covering 17,317,184 individual records.
  • A study conducted by online risk management firm NetDiligence reported that in 2011, the average total cost to a company of a security breach was $3.7 million, with an average legal settlement cost of $2.1 million and average legal fees of $582,000.
  • 26% of data breach lawsuits were brought against companies in the financial services sector, with 20% in the health care sector and 10% in the retail sector.
What can a company do now--before a breach--to address this risk?
  • Commercially Reasonable Security Measures and Policies.  Companies should know the most common types of threats and take commercially reasonable measures to prevent them.  This should include adopting technological standards and complying with all applicable laws.  
  • Adopt a Data Security Breach Response Plan and Train Staff.  Prepare now for how your company will respond to a breach.  Involve IT professionals and knowledgeable legal counsel.  Having a plan in place, and following it, can mitigate losses and help protect your company from subsequent liability if lawsuits result.
  • Due Diligence on Third Parties.  Several recent major data security breaches have taken place within third-party vendors who had no direct relationship with the customer, and the customers typically sue the company with which they have a relationship in addition to the vendor.  Conduct a commercially reasonable due diligence process to ensure only responsible vendors are deemed eligible.  Knowing the right questions to ask is key.
  • Well-Drafted Contracts.  Some risks of loss arising from data security can be reduced through well-drafted contracts with customers, third-party vendors or financial institutions.  Most of the proposed contracts I have seen presented to companies by third party vendors are woefully inadequate to protect the company if the vendor fails to prevent a breach of the company's customer data.  Involving competent legal counsel when entering into agreements with third-party vendors that will have access to your customer's information can save potentially millions of dollars down the road. 
  • Cybersecurity Insurance.  A number of firms now offer insurance against losses arising from data security breaches, either as a separate line or as an addition to directors and officers liability insurance coverage.   This is another opportunity to spend a small amount that may ultimately save a company massive amounts later.
Given the enormous losses sustained as a result of the reported breaches, it is imperative that businesses recognize the risks presented by data security breaches and take steps to mitigate them before a breach occurs.

Wednesday, January 1, 2014

Legal Aspects of Security Breaches, Unauthorized Transfers, and Corporate Account Takeovers

Last month, the CEO of BNY Mellon told the American Banker that his bank's greatest single concern is cybersecurity.  We live in an era where a security breach can be devastating to a variety of businesses, whether through a direct loss of funds, civil liability, or massive reputational harm to a brand.

Some of the fastest-developing topics I encounter in my law practice involve security breaches, unauthorized transactions, and corporate account takeovers.  Several weeks ago, I addressed the legal aspects of these issues in a presentation delivered at the North Carolina Bankers Association's Security Summit.  Some of the questions addressed in the presentation included the following:


  • What obligations under federal and North Carolina law do businesses have when there has been a security breach involving customer information?
  • At what point does an incident involving customer information rise to the level of a "security breach" for which the applicable laws require specific responses? 
  • Who must bear the loss when there is an unauthorized transfer of funds in a consumer's bank account?
  • If a company's bank account is compromised (hacked) in a "corporate account takeover" and funds are transferred from the account without authorization, is the bank required to refund the company's money?


I am posting the slides from my presentation here so those who were not able to attend the Security Summit will be able to see the highlights of the talk.*  I hope you find this information helpful.  (Please feel free to share this blog post with others who might benefit from this information.)

The importance of these issues continues to grow, and I intend to speak and write more about these and related topics in the coming days. 




[*As with all of the information I post here on the blog, this is shared for general educational purposes only, and does not constitute legal advice.  I will not be updating this information as the law develops, and I reserve the right to change my position on any issue addressed in these materials in the future.]