In his recently-published book, Cybersecurity for Executives: A Practical Guide, Retired Brigadier General Gregory Touhill, now Deputy Assistant Secretary at the Department of Homeland Security Office of Cybersecurity and Communications, offers the following quote from Congressman Mike Rogers, Chairman of the House Intelligence Committee, on the state of cybersecurity: “There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.”  What makes the quote particularly interesting? It is from 2011 – long before the headlines regarding Target, Ebay, and Adobe. Not to mention the recently reported efforts of Russian and Chinese hackers. In light of all these events, the question arises “how concerned should directors and officers be about cybersecurity?” Most experts would respond, “very.” 

In October 2011, the SEC Division of Corporate Finance issued its Disclosure Guidance on cybersecurity. The Guidance suggested several risk factor disclosures, including a discussion of material cybersecurity risks to a registrant’s business or operations, a description of cyber incidents experienced by the registrant, and a description of relevant insurance coverage.  A report prepared by the insurance brokerage firm Willis in August 2013, based on a review of 10-Ks and annual reports filed by the Fortune 1000, suggested that companies were describing the possibly material risks to their businesses in broad terms, but were not adequately disclosing actual cyber events or their cyber-related insurance coverage.  Notably, only a few months prior to the Willis report, SEC Chairman Mary Jo White asked her staff to brief her on current cybersecurity disclosure practices for publicly-listed companies, and to provide recommendations for further SEC action. 

Significantly, in a speech delivered in June 2014 at the NYSE “Cyber Risks and the Boardroom” Conference, SEC Commissioner Luis Aguilar suggested one source of guidance for boards regarding cybersecurity.  In February 2014, the National Institute of Standards and Technology (NIST), pursuant to an Executive Order from President Obama, released the first version of the Framework for Improving Critical Infrastructure.  The NIST Framework is intended to provide companies with a set of industry standards and best practices for managing their cybersecurity risks. In his speech at the NYSE conference, Commissioner Aguilar noted, “While the Framework is voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”   In concluding his speech, Commissioner Aguilar cautioned board members, “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”

The obvious takeaway from all of the above is that directors and officers (and their counsel) need to remain closely attuned to both current and future guidance from the SEC both in terms of meeting their obligations to address their company’s own cybersecurity and with respect to their disclosure and reporting obligations regarding cybersecurity.

Finally, anyone interested in understanding the latest developments in cybersecurity, data breaches, privacy law, and related insurance issues should consider attending DRI’s inaugural Data Breach and Privacy Law Seminar in Chicago on September 11-12, 2014. For more information and to register, go to: http://www.dri.org/Event/20140065

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 

The Employment and Labor Law Committee is one of several DRI committees participating in DRI's inaugural Data Breach and Privacy Law Seminar, September 11-12, 2014 in Chicago.  Click here to sign up

It seems like every day when we open a newspapaer or turn on the TV, there is another report of a significant data breach, followed by customer outrage and lawsuits!  This seminar will offer presentations from data security and privacy professionals who are at the forefront of cutting-edge data security and privacy issues, as well as industry leaders who will provide valuable insight and practical experience.  I encourage you to attend.   

Attendees will learn from real world scenarios and obtain concrete takeaways to aid in understanding and navigating the field of data security, including presentations on topics such as: 

The "science" of cyber attacks

Industry standards for privacy and data protection

Theories of civil liability and data security breach

Technical requirements for the protection of health records

Effective strategies to respond to data breach incidents, including insurance coverage

Data security ethical issues

The seminar will be an excellent educational and networking opportunity for everyone who attends.  Our committee helped shape the topics and I know you will benefit from attending.

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 


Earlier this week, the ABA adopted a resolution encouraging all private and public sector organizations, including law firms, to adopt appropriate cyber security programs. An accompanying report cites the growing sophistication and frequency of cyber crimes. It notes, in particular, the importance of law firms to be proactive in protecting sensitive client information. According to the report, as many as 80 law firms were hacked in 2011 alone. The ABA’s report cites the ethical obligations of attorneys both to understand the risks of modern technology and to adequately protect client information. 


DRI is getting out in front of cyber risk issues. It is launching its first ever Data Breach and Privacy Law Seminar, September 11–12, at the Conrad Chicago. The seminar will address cyber risks, theories of liability for data breaches, preparing in-house response plans, insurance coverage for cyber crime, and other issues relating to data security. The seminar brochure provides registration details. Anyone involved in law firm or corporate risk management and any lawyer advising or representing clients on these issues should attend.

Bookmark and Share

Categories: Privacy | Seminar

Actions: E-mail | Comments

 

A Massachusetts jury recently awarded a $14 million wrongful death verdict against a nursing home. Dollar amount aside, this verdict is staggering because it includes a $12.5 million punitive damages award, meaning the jury was trying to punish the facility for its alleged poor care. The facility admitted it failed to administer proper care to the decedent resident, but it rejected claims that the neglect led to the resident’s death.

Was there a way for the facility to avoid this trial, or at least avoid being slammed with a judgement that included punitive damages? Were documents available that may have substantiated the facility’s assertion that its negligence did not lead to the resident’s death? Perhaps early case resolution techniques could have been used to resolve this matter at the outset? This year’s DRI Nursing Home/ALF Litigation Seminar offers sessions that address these questions and more. Timothy Cesar, Brookdale Senior Living, Inc., and attorney Bradley Kelly will lead “Putting the ‘Ending’ in Defending Litigation and discuss how both sides to a dispute can best utilize early case resolution to their advantage. Similarly, during “Ancillary Evidence May Be the Key to a Successful Defense,” Tracey Maw, RN, MSN, will discuss how information collected by a facility beyond a resident’s formal chart may be harnessed to benefit a facility in litigation.

The 2014 Nursing Home/ALF Litigation Seminar will be held September 18–19, 2014, at the Swissôtel Chicago. Register today.

Bookmark and Share

Categories: Seminar

Actions: E-mail | Comments

 

I often thought about myself or my law firm when it came to attending networking events.  After attending my fourth Young Lawyers Seminar last week in Denver, I realized that there is much more to networking and socializing than the obvious benefit of establishing relationships that will one day generate business. 

In the past year or so, I found myself in a position to refer several pharmaceutical defense cases to local counsel around the country: one in Virginia; one in Oregon; others here and there.  I immediately went to the DRI member directory to find DRI members who practice in those jurisdictions.  I also asked my fellow Young Lawyers Committee members who they knew in certain jurisdictions.  I came away with several referrals, and was able to place the matters after clearing conflicts checks.  Simple enough, right?  There’s more.

In Denver this past week, I saw one of the Young Lawyers who was able to accept one of these referrals.  She’s doing a phenomenal job representing our client.  This was my lightbulb moment.  Networking and building referral sources isn’t always about our own book of business; it’s about being part of an organization that fosters skill, experience, and professionalism.  It’s about being part of an organization in which our clients are benefitted by our contacts and friendships.  Our clients reap the rewards by being referred to the best defense attorneys and law firms in the world.  So the next time you approach a networking opportunity, consider all that your clients can benefit by your membership in DRI.  They will thank you.

Bookmark and Share

 


The trucking industry is at a crossroads in regards to more aggressive plaintiff’s counsel, regulatory attacks and reptile theory strategies. Which way will all this go? Will 21st Century transportation be plagued with drawn out and costly litigation, demand more creative strategies from defense counsel or is aggressive claim resolution/mediation the key? How does the transportation risk leadership respond to such change? The DRI Trucking Law Seminar, June 19-20, 2014, set at The Cosmopolitan Hotel, looks set to address many of these issues. 

Bookmark and Share

Categories: Seminar | Trucking Law

Actions: E-mail | Comments

 

As the recent Target and Neiman Marcus data breaches have made clear, cyber security is one of the top threats to business today.  These threats can be devastating to companies - damaging customer confidence, the company brand, and the bottom line by increasing costs through remediation costs, lost revenues and customers, litigation, and fines.  Governments and customers are now holding businesses accountable for inadequate protection of customer data.  

It has been reported that 24% of data breaches occur in retail environments and restaurants.  And the average total cost to a US company of a data breach is approximately $5.4 million.  There are 46 different state statutory schemes and a host of federal regulations that apply to the collection and storage of data and the prevention and reporting of a breach.  These rules often contradict.  An interstate or internet retailer, however, must comply with the laws of the states in which a customer makes a purchase.
 
While consultants, IT experts, insurance and security firms can be integral parts of a Data Protection plan, they are only players on the team.  In fact, many experts are engaging in breach event information sharing to assist each other in identifying and defending against cyberthreats.  Cyber security concerns are now part of doing business, and general counsel and C-Suite executives must be ready to guide their companies through these complex issues.  

Prevention
Prevention is the first step to minimizing cyber security liability.  The following steps can help minimize the cost and likelihood of security breaches:   
• Security measures before a breach.  Studies have found that having an incident response plan, establishing a strong security infrastructure, and appointing a Chief Information Security Officer can lower the costs of a data breach by approximately 50%.  
 Cyber-security audits.  Businesses should conduct regular cyber-security audits and limit the access of sensitive data by third parties and employees.  
• Cyber-security insurance.  Businesses should review insurance policies to determine whether and to what extent they are covered for cyber-security threats.  
• Encryption.  If a data breach occurs, encryption can help minimize liability.  

Notification
If a data breach occurs, businesses must immediately determine whether they have notification obligations under federal or state law.  Congress has yet to enact comprehensive federal law governing notification in the private sector, so businesses must conduct a state- and industry-specific analysis.  The following are examples of notification obligations: 
• Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act.  HIPAA requires covered entities to protect against reasonably anticipated threats or hazards to security.  The HITECH Act requires covered entities and business associates to notify the individuals whose protected health information was accessed no later than 60 days after the breach was discovered.  If the breach affects more than 500 individuals, the law also requires notification within 60 days after the breach was discovered to the US Department of Health and Human Services and the media.  
• Gramm-Leach-Bliley Act.  This act requires financial institutions to publicize their privacy policies and establish internal safeguards and procedures to protect customer information.  Related guidelines require covered financial institutions to notify customers whose personal information has been subject to unauthorized access or use if misuse of the customer’s information has occurred or is reasonably possible, unless law enforcement determines that notification will interfere with a criminal investigation.  
• Securities & Exchange Commission.  The SEC has issued guidance stating that publicly traded companies should report certain instances of cyber incidents.   
• State law.  Currently, 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notification of security breaches involving personal information.  

Potential Litigation
Businesses should be ready for litigation if a data breach occurs.  Potential claims by private parties and the government include: 
 State-law claims.  Businesses could face suits under individual states’ consumer protection laws, tort and contract law, fiduciary requirements, and other cyber security rules.   
• FTC Safeguards Rule.  The FTC has brought numerous enforcement actions to address whether businesses security systems are reasonable and appropriate to protect consumer information.  
• SEC Enforcement Actions.  The SEC’s Division of Corporation Finance has taken the position that public companies should disclose their risk of cyber incidents.  Failure to disclose cyber security breaches or risks could lead to actions on security anti-fraud provisions like Rule 10b-5 or books and records violations under Rule 13b2-2.  

Conclusion
A business’s cyber-security obligations are too complex to address in this blog.  Regardless, it is critical for businesses to be prepared.  In house counsel are invited to join Polsinelli attorney Leon Silver and Kevin Morgan of Grant Thornton at DRI’s 2014 Retail & Hospitality Litigation and Claims Management Seminar, May  15, 2014 in Chicago at the Westin Chicago River North Hotel for a presentation titled “Cybersecurity and Data Governance:  The 21st Century Legal Issue.”

Bookmark and Share

Categories: Corporate America | Retail | Seminar

Actions: E-mail | Comments

 

Nowadays everywhere you go, someone is watching.  Why?  Because surveillance cameras are in every store, restaurant, hotel and gas station around the country.  The primary purpose of these cameras may differ among the many industries that use them but one thing is certain, if a customer is injured, the surveillance footage will be an issue.  

Two scenarios that every industry and claims examiner must respond to on a regular basis are: (1) an attorney sends a letter demanding the preservation of footage after an incident; and (2) a customer incident occurs with no attorney involvement and a decision must be made if footage should be preserved, and if so, what footage. These issues typically arise very soon after a customer incident takes place because time is of the essence when dealing with surveillance footage. Most systems are digital and the amount of time you have to preserve the footage depends on the size of the DVR memory. Therefore, the first and one of the most important things a claims examiner must do is know the capabilities of your company’s surveillance system. Know how it works and most importantly, know the typical amount of time you have before footage is gone.  

Once you know how much time you have to ensure the preservation of footage, the next question is whether to preserve.  The short answer is, YES, PRESERVE! Surveillance footage can both hurt and help your defense but the failure to preserve, even when the incident cannot be seen, will almost always hurt. When it is not preserved, you run the risk of being hit with a spoliation claim or negative inference.

The next question is how much footage to preserve. The easiest way to answer this question is to know your jurisdiction and the judges who will rule on any motions about video preservation. It usually comes down to what is reasonable.  Is 60 days of footage reasonable?  Not in my opinion and not in the opinion of the judges of my jurisdiction. Typically what we have seen as “reasonable” is preserving a few hours before the incident and thirty minutes to an hour after the incident. If that is the amount of footage preserved, it would be unusual for a court to find that improper.  

Since the decision of how much footage to preserve is almost always made before a lawsuit is filed, it is important for counsel and claims examiners to discuss these issues ahead of time and have a standard policy of how much to preserve.  When opposing counsel asks for 60 days to be preserved, you should have standard language to respond to this demand so it can be properly and timely addressed and not create discovery problems down the road.  

Preservation issues with surveillance footage are here to stay because more cameras and more advanced systems are installed every day.  It is an issue that every retailer, claims examiner and defense attorney must handle and be well versed in or problems will arise.  You can learn a great deal more about this topic and how it impacts your practice and company at DRI’s 2014 Retail and Hospitality Litigation and Claims Management Seminar.  The seminar is taking place on May 15-16, 2014 in Chicago, Illinois at the Westin Chicago River North.  There will be many informative presentations impacting the retail and hospitality industries and you will not want to miss Thomas E. Best from The Home Depot and Suzanne M. Marasco from Hill Wallack, LLP give a revealing presentation on “Preserve Your CCTV or Else?” 



Bookmark and Share

Categories: Seminar

Actions: E-mail | Comments

 

Is There A Doctor in the House?

Posted on March 7, 2014 03:41 by Patrick J. Kearns

The Patient Protection and Affordable Care Act, often referred to as the “Affordable Care Act” (ACA), or perhaps more commonly “Obama Care,” has had no shortage of media coverage and controversy since it was signed into law nearly four years ago (Yes, it has been 4 years! President Obama signed the Act into law on March 23, 2010).  Several aspects of the ACA have been, for better or worse, more “visible” than others; such as the heavy focus on the “individual mandate,” i.e. the requirement that uninsured citizens obtain health insurance or pay a penalty; the impact on employers and small businesses; and the more recent website debacle where many people seeking to sign up for health insurance on the newly created exchanges were unable to do so due to technical issues with the ACA’s www.healthcare.gov website. 

One of the less discussed issues with the ACA however, is the potential for a massive provider shortage.  At its basic level, one of the primary purposes of the ACA is to increase the number of insured Americans. Indeed, according to various estimates, the implementation of the ACA is anticipated to provide insurance to 25-30 million additional individuals who would otherwise not be insured: “[T]he Affordable Care Act will also ensure that every American can access high-quality, affordable coverage, providing health insurance to nearly 30 million Americans who would otherwise be uninsured.” (Quoted from 2014 Funding Highlights bulletin published on www.whitehouse.gov). Coupled with provisions providing for free or reduced cost annual exams; greater Medicare coverage; increased coverage for younger adults; and increased coverage for preventative care and testing such as mammograms and colonoscopies; that means more insured people utilizing more health care services. Consequently, the question arises of whether we have enough physicians and providers to administer the increased health care demands?  

The Obama administration has acknowledged this potential and recently proposed a Fiscal Year 2015 Budget for the Department of Health and Human Services which attempts to address this contingency, at least in part. According to the HHS’s “Fiscal Year 2015 Budget in Brief” “[t]he Budget makes new and strategic investments in our nation’s health care workforce to ensure rural communities and other underserved populations have access to doctors and other providers. In total, $14.6 billion will be invested in three key initiatives: $4 billion in expanded funding for the National Health Service Corps, $5.2 billion for a new Targeted Support for Graduate Medical Education program, and $5.4 billion for enhanced Medicaid reimbursements for primary care. (U.S. Dept. of HHS “Fiscal Year 2015 Budget in Brief”; http://www.hhs.gov/budget/fy2015/fy-2015-budget-in-brief.pdf).

While the long-term idea behind the ACA may be to reduce health care costs and the need for excessive or increasing health care services (i.e. an insured population is presumably healthier and will therefore require less health care), will we have enough physicians, nurses, and other providers necessary to get us healthier in the short term? 

The full impact of the Affordable Care Act, positive or negative, remains to be seen. You can learn a great deal more about the Affordable Care Act, the difficulties with its implementation, and its impact on you and your practice, at DRI’s 2014 Medical Liability & Health Care Law Seminar, taking place in Las Vegas on March 20–21, 2014 at the Cosmopolitan Hotel.  Among many top-notch presentations at this year’s seminar you will not want to miss Kimber Lantry, Executive Vice President for AXIS Insurance’s Health Care Unit, give a fascinating presentation on “The Unintended Consequences of the Affordable Care Act.”

Bookmark and Share

 

“Diversity” is a concept at center stage in today’s ever changing world. And, all of us have heard or used the phrase “be politically correct.” Diversity can be visually obvious such as age, gender, and race. But, there are many facets of diversity that are not visual such as religion, politics, sexual preference, etc. And, even if diversity is totally obvious, oft times we simply don’t know what to do with diversity! Do we avoid eye contact, or address it head on?  As attorneys, how do we tap into the power of diversity to make us better people, counselors, colleagues and litigators? None of us want to be the next Paula Dean or Duck Dynasty patriarch!  As lawyers what do we need to know about diversity and trial tactics to provide our clients with the best defense? In a medical case it’s a given that throughout the case we will encounter many people with who look different than us, practice different religions, come from different cultures, and so on. From the patients, to the admissions clerk, to the nursing staff, to doctors, clients and jurors, the various human differences are mind boggling. How do we go from “tiptoeing” around our differences to weaving diversity into our cases to achieve winning strategies? 

Learn more about how you can address diversity issues in your practice and during trial at DRI’s Medical Liability and Health Care Law Seminar, taking place at the Cosmopolitan Hotel in Las Vegas March 20–21, 2014. You will not want to miss the presentation on “Diversity in the Courtroom: Putting the Odds in Your Favor.” Click here to register for this program. 

Bookmark and Share

Categories: Diversity | Seminar

Actions: E-mail | Comments

 
 

Submit Blog

If you wish to submit a blog posting for DRI Today, send an email to today@dri.org with "Blog Post" in the subject line. Please include article title and any tags you would like to use for the post.
 
 
 

Search Blog


Recent Posts

Categories

Authors

Blogroll



Staff Login