Two recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system.
In particular, Wells Fargo noted the surprising trend that companies are not more concerned with employee misuse of technology (finding only 7% of companies believed that their employees’ misuse of technology posed a potential threat). Yet this is a real issue. This was confirmed in another study released this month by the Ponemon Institute – 2016 Cost of Insider Threats – which showed that organizations are spending on average $4.3 million annually to mitigate and resolve insider threats. “Companies perceive insider threats as mostly driven by malicious employees, but the fact is that a significant portion of the risk is due to insider carelessness.”
The Ponemon report polled 280 IT and security practitioners from medium and large organizations. It found a total of 874 insider incidents over the course of a year, 65% of which were caused by employee or contractor negligence, 22% by malicious employees or criminals, and about 10% by imposter fraud. The security incidents from negligence cost the respondents about $207,000 per incident and about $2.3 million annually.
But both studies point out that what companies are doing to combat what has been termed “the human factor,” or an employee’s misuse of technology, is not enough. As noted in the Ponemon report, the “training programs that companies have are just not very good. They are really focused on check-the-box compliance requirements to show everyone that [the] company [has] training on data protection.” Wells Fargo noted, “[c]yber risk management is first and foremost about education,” and this applies to companies both big and small. In the domain of imposter fraud alone, where a fraudster gains access to the email account of a company’s senior executive and then requests a payment, the professional risk practice at Well Fargo handles five to ten of these incidents each week, from clients that are not well-known brands.
In addition, the time to contain these insider-related incidents correlates directly to the total cost to the company. The Ponemon study showed that it took more than 60 days to contain the incident or attack for 58% of their sample, with another 20% experiencing containment within 30 days.
So what should companies be doing? Companies are most frequently using data loss prevention tools and mandatory user training and awareness. However, as the Ponemon study shows, deployment of user behavior analytics would result in the largest total cost savings, at $1.1 million (based on the mean value of $4.3 million), and could drive the most impact in terms of cost on investment. The recommendation is to focus on visibility and transparency – not on stringent controls – and to build “a layered defense that delivers a comprehensive range of capabilities across visibility, detection, context and rapid response.”
© Polsinelli PC, Polsinelli LLP in California
As most of you know, in May 2016 the Department of Labor (DOL) released its long-awaited Final Rule modernizing the Fair Labor Standard Act’s (FLSA) white-collar exemptions to the overtime requirements of the FLSA. See our rundown of the changes in our earlier post here. The new rule is scheduled to take effect December 1, 2016.
This week, however, 21 states banded together to express their disapproval of the Final Rule and filed a lawsuit against the DOL. The states challenging the constitutionality of the rule are: Alabama, Arizona, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Michigan, Mississippi, Nebraska, Nevada, New Mexico, Ohio, Oklahoma, South Carolina, Texas, Utah and Wisconsin.
The primary argument in the states’ lawsuit is that the new FLSA rule will force many businesses—particularly state and local governments—to unfairly and substantially increase their employment costs. For state governments in particular, the states allege that the new rule violates the Tenth Amendment by mandating how state employees are paid, what hours they will work and what compensation will be provided for working overtime. The lawsuit also alleges that implementation of the new rule will disrupt the state budgeting process by requiring states to pay overtime to more employees and would ultimately deplete state resources.
It’s no coincidence that more than 50 business groups—including the US Chamber of Commerce and the National Association of Manufacturers—filed a similar lawsuit on the same day and in the same court. This lawsuit alleges, among other things, that the new rule disregards the mandate of Congress to exempt white-collar employees from the overtime requirements of the FLSA.
How the courts will handle these parallel cases is an unknown. For now, employers—both public and private—are encouraged to proceed as though the new rules will take effect on December 1, 2016 as scheduled.
In an opinion released this morning, the Illinois Supreme Court held that the right of trial by jury includes the right to demand a 12-member jury. In Kakos v. Butler, 2016 IL 120377, the Court held that Public Act 98-1132, which bars a litigant from exercising this right, and the statute it amended, 735 ILCS 5/2-1105(b), were “facially unconstitutional.” Kakos, 2016 IL 120377, ¶ 37. Because the provision regarding jury size could not be severed from the entirety of the Act, the Court invalidated the entire Act.
Public Act 98-1132 (effective June 1, 2015), which amended section 2-1105(b) of the Code of Civil Procedure, limited the size of a civil jury to six persons and increased the amount paid per juror across the state. In Kakos, the plaintiffs filed a complaint at law alleging multiple counts of negligence and loss of consortium against the defendants. The defendants then moved to request a 12-person jury and sought a declaration that P.A. 98-1132 was unconstitutional. The circuit court agreed with the defendants and granted the motion, finding that the Act was facially unconstitutional and violated separation of powers. The plaintiffs then appealed to the Illinois Supreme Court as a matter of right under Rule 302(a).
According to the Supreme Court, “it is clear that the drafters of the 1970 Illinois Constitution intended for the essential common-law features of a jury trial as then employed to be preserved and protected.” Kakos, 2016 IL 120377, ¶ 36. The Court said that Article I, section 13, of the Illinois Constitution “reveals an intent on the part of the drafters to maintain common-law characteristics of jury trials.”Id. Article I, section 13, provides: “The right of trial by jury as heretofore enjoyed shall remain inviolate.” Id. ¶ 13. According to the Court, “[t]he phrase ‘as heretofore enjoyed’ plainly indicates that the drafters intended for certain characteristics of a jury trial to be maintained.” Id. It further observed, “[t]his court has long interpreted the phrase ‘as heretofore enjoyed’ to mean ‘the right of a trial by jury as it existed under the common law and as enjoyed at the time of the adoption of the respective Illinois constitutions.’” Id. ¶ 14.
The Court said that it “has long included the 12-person size of a jury within its descriptions of the essential features of a jury trial.” Id. ¶ 36. The “transcripts from the convention debates,” the Court explained, “make clear that the drafters did not believe the legislature had the authority to reduce the size of a jury below 12 members and the drafters did not act to give the legislature such power.” Id. The Act and statutory amendment violated Article I, section 13.
The decision, authored by Justice Garman, was 5-0, with Justices Thomas and Kilbride taking no part.
The Legal Marketing Technology Conference is the largest conference dedicated to technologies that law firm professionals use to identify, attract and support clients.
Join us for the full day conference on October 6, and the half day pre-conferences on October 5. Our pre-conferences include: Technology Workshops and a Lead Marketers’ Summit.
- Leading Law Firms through a Competitive Revolution (Keynote: Roland Vogl, CodeEx: The Stanford Center for Legal Informatics)
- How CLOC is Changing Legal Service Delivery Models
- How Law Firms Can Use Video to Reach New Clients
- Data Visualization for Law Firms
- Bringing your CRM Data, Legal Expertise and Pricing Data Together: The Future of Effective Legal Sales
- Creating Efficiencies Through Marketing Automation: Principles & Practices
- Dynamic Content via Deep Personalization – the next stage in email marketing
- Using Livestreaming Video to Tell Your Story, Build Relationships, and Attract Clients
- Blockchain ID and The Changing Face of Digital Identity
If you haven’t already heard, Pokémon Go, a virtual reality app created by Nintendo and Niantic, is taking the world by storm. According to Forbes, the app is about to surpass Twitter on the Android platform in daily active users, even though it was first released just a couple weeks ago in the United States and Australia and has not yet been made available worldwide. More and more people are getting in on the action, exploring real world landscapes with their smart phones in hopes of capturing virtual Pokémon appearing on their screen based on their phone’s clock and GPS location. It seems that no location is off limits, as Pokémon appear on or near both public and private property – even in bathrooms. As the Pokémon franchise motto commands, users “Gotta Catch ’Em All” at designated “Pokéstops” in their quest to become a renown Pokémon “trainer” who can out battle other users at local, virtual “Gyms.”
Pokémon Go users have been wreaking havoc, day and night, along the way. They have been loitering near, and trespassing on, private property, so much so in Massachusetts that the Boston police are calling for users to be “vigilant” in avoiding private property and the “obvious inherent dangers” presented by playing Pokémon Go. They have disrupted operations at hallowed sites, such as the 9/11 Memorial and the Holocaust Museum. One even interrupted a live weather report. Users have used the app to lure and then rob other, unsuspecting users. One gamer ran his car into a tree while playing the app. Another was hit by a car trying to cross a public highway while playing the app. They have even fallen off a 75 foot-high cliff while playing the app.
Employers are not immune from the Pokémon Go fun. They have been – or soon will be – affected not only as property owners but also as managers of their employees.
Employer as Property Owner
As legal bloggers have noted, Pokémon Go challenges the traditional paradigm for legal property rights. It blurs the lines between reality and augmented reality, raising a number of interesting legal questions in the process. Does placing a Pokémon on private property without permission affect a property owner’s common law right to exclusive ownership of his property? Are Nintendo/Niantic potentially liable for placing characters on private property? Does the presence of virtual Pokémon on a property create an attractive nuisance that could create liability for the owner in the event a child-user injures himself on the property? If so, how would the property owner abate the nuisance? Can the state preclude users from playing Pokémon Go on public property consistent with the First Amendment? The answers to these questions are unclear.
What is clear, however, is a property owner’s right to exclude others from his property under West Virginia law. A property owner generally has the right to exclude other persons from his property, but there are exceptions to this rule. For example, if the property is a place of public accommodation, the property owner may not exclude persons based on their protected status, e.g., race, sex, religion, disability, or national origin. Generally speaking, however, property owners could legally exclude Pokémon Go users from their premises. To wit, in the case of a trespasser, a property owner could seek monetary damages for any damages caused by a trespass, even if such damages are only nominal.
A property owner’s obligation to keep his property safe is also clear. In the case of an invited person, the property owner must exercise reasonable care to protect the invited person from anticipated/foreseeable hazards. In the case of a trespasser, such as a wandering Pokémon Go user, the property owner need only refrain from willfully or wantonly injuring the trespasser to escape liability.
Pokémon Go isn’t all bad from a property owner’s perspective, however. For the right property/business owner, Pokémon Go could be a very useful marketing tool. Just Google “6 Ways To Use Pokémon Go in Your Local Marketing Campaign” to learn how. One New York Pizzeria spent just ten dollars to have a dozen Pokémon lured to its store and saw a 75% increase in their business. How’s that for return on investment?
Employer as Manager
Pokémon Go also raises several concerns for employers as managers. Several of these concerns are obvious. The foremost of these concerns may be workplace safety. In a little more than a week, Pokémon Go users have shown just how dangerous the app can be. Think about what could happen if you added a distracted user to the existing hazards in your workplace. Disaster. In addition, there is the age-old concern of vicarious liability, especially for employers who have employees out on the road. Your mobile device policy should preclude employees from using a mobile device while driving, if it doesn’t already. West Virginia law makes it unlawful to use your phone while operating a motor vehicle on a public road.
Further, Pokémon Go is yet another appealing fad, much like March Madness, that threatens to bring your workforce to a halt while on the clock, particularly if you employ groups of Millennials or Gen Zers. You must set appropriate boundaries and outline clear expectations with your employees, especially where you are relying on broad language in your company handbook. If you need a “catchy” sign to get your employees’ attention, one human resource manager has got you covered:
Otherwise, revisit your personnel policies and update them as needed to mitigate the potential employment carnage that could result from Pokémon Go. At bare minimum, no Pokémon hunts in the bathroom!
There are at least a couple of hidden concerns with Pokémon Go too. For one, users participate on the Pokémon Go program with their phone’s camera and will soon, if they do not already, have the option of recording or even live streaming their Pokémon Go gameplay. That is cause for concern where employees are permitted to play Pokémon Go on breaks in the workplace. In their quest to capture Pokémon “living” around the office, they may record or stream unsuspecting coworkers, or worse, confidential company information. This creates one more avenue for workplace conflict among employees and raises security concerns for private company information.
For another, Pokémon Go may be a cyber-security concern for company’s using Google products, such as Chrome, Gmail, and Google drive. When the app first debuted, it requested “full access” to the user’s Google account, which meant that Nintendo and/or its partner, Niantic, could not only review your email, your Google docs, Google photos, your location history, your search history, but also, modify all that content, and even send emails as the user of your Gmail account! For users who signed up with a company-related Google account, Niantic was functionally a business partner. It appears that recent outcry has led the Pokémon Go creators to modify the permissions required to download the app. It will be interesting to see whether this change is enough to quell the public outcry. Either way, the initial cyber-security scare is a reminder that employers should remain vigilant in maintaining the wall between work and play with employees that have been granted a company-sanctioned mobile device.
What You Should Do
Pokémon Go is all the rage and promises to be for your employees soon, if it isn’t already. Regardless of whether the app catches on at your workplace, go through the exercise of reviewing your mobile device and social media policies. Are they inclusive of augmented reality apps? If necessary, update them to ensure that they are clear on the use, non-use, or limited use of augmented reality apps like Pokémon Go at your workplace. But don’t stop there. Review your policies with your employees, even if you don’t make any changes. Make sure that employees are aware of the boundaries for augmented reality apps at the office.
On September 9, 2016, the United States Occupational Safety and Health Administration (“OSHA”) published new guidelines for approving settlements between employers and employees in whistleblower cases to ensure that those agreements do not contain terms that could be interpreted to restrict future whistleblowing. OSHA reviews settlements between employees and employers to ensure that they are fair, adequate, reasonable, and in the public interest, and that the employee’s consent was knowing and voluntary. The guidance provides that OSHA will not approve settlement agreements that contain provisions that discourage (or have the effect of discouraging) whistleblowing, such as:
“Gag” provisions that prohibit, restrict, or otherwise discourage an employee from participating in protected activity, such as filing a complaint with a government agency, participating in an investigation, testifying in proceedings, or otherwise providing information to the government. These constraints often arise from broad confidentiality or non-disparagement clauses, which complainants may interpret as restricting their ability to engage in protected activity. The prohibited constraints may also be found in provisions that:
restrict the employee’s right to provide information to the government, file a complaint, or testify in proceedings based on a respondent’s past or future conduct;
require an employee to notify his or her employer before filing a complaint or voluntarily communicating with the government regarding the employer’s past or future conduct;
require an employee to affirm that he or she has not previously provided information to the government or engaged in other protected activity, or to disclaim any knowledge that the employee has violated the law; and/or
require an employee to waive his or her right to receive a monetary award from a government-administered whistleblower award program for providing information to a government agency.
Provisions providing for liquidated damages in the event of a breach where those provisions are clearly disproportionate to the anticipated loss to the respondent of a breach, the potential liquidated damages would exceed the relief provided to the employee, or whether, owing to the employee’s position and/or wages, he or she would be unable to pay the proposed amount in the event of a breach.
When OSHA encounters these types of provisions, it will ask the parties to remove those provisions and/or prominently place the following statement in the settlement agreement: “Nothing in this Agreement is intended to or shall prevent, impede or interfere with the complainant’s non-waivable right, without prior notice to Respondent, to provide information to the government, participate in investigations, file a complaint, testify in any future proceedings regarding Respondent’s past or future conduct, or engage in any future activities protected under the whistleblower statutes administered by OSHA, or to receive and fully retain a monetary award from a government-administered whistleblower award program for providing information directly to a government agency.”
© Copyright 2016 Squire Patton Boggs (US) LLP
Accounting firms very often question the need to include certain provisions intended to limit their liability to their clients and sometimes ask whether the provision is even enforceable. Whether the provision will be enforced is uncertain due to the very limited case law addressing liability-limiting provisions in accountants’ client engagement letters, and there could be variations in enforcement from state to state. Nevertheless, it is important to include the provisions, even if enforcement is uncertain, because the provision might just be accepted and never challenged, thereby serving its purpose, even if a court strikes it down after a legal challenge.
One of the more important liability-limiting provisions is limiting the client’s time to sue the accountant to a fixed period (usually one year) measured from when the services are provided. These provisions serve the dual purpose of shortening the lengthy statute of limitations in some states and defining exactly when that period starts to run. Our provision sets forth that the period starts to run at the time the services are provided rather than when the client knows or should know about a claim, which could be years and sometimes decades later.
A picture may be worth a thousand words, but a similar single-sentence provision in an engagement letter saved Deloitte Tax LLP from having to defend a $500 million malpractice suit filed in New York against the multinational professional services firm. A New York court dismissed the lawsuit and affirmed the validity of the one-year limitations period. However, unlike the provision we generally recommend, the Deloitte provision indicated the one-year period started to run from when “the cause of action accrued.” Since New York law holds that such claims accrue at the time the advice is given, the court held that Deloitte’s provision shortened the time period to sue the accountant to one year from the time the advice was given. In effect, our provision would reach this result even in states that do not have the same highly favorable point of accrual.
Facts of the Case
Deloitte was engaged in 2008 by billionaire William Davidson to modify his estate plan, and Deloitte provided advice until shortly before Davidson’s death in March 2009. Deloitte was then engaged to assist with the administration of the Estate, including providing advice on a variety of tax issues, some of which related to the modifications put in place prior to Davidson’s death.
Not surprisingly, the IRS scrutinized the Davidson Estate filings, but somewhat surprisingly concluded that the Estate owed billions more than was reported on the Estate’s returns. Those conclusions were contested by the Estate, which ultimately settled with the IRS for approximately $500 million in July 2015. Deloitte continued working with the Estate until September 2015, when the Estate brought an action against Deloitte in New York seeking to recover the $500 million paid to settle with the IRS.
The Estate alleged, among other things, that Deloitte was reckless and negligent in the estate planning advice provided to Davidson. Deloitte filed a motion to dismiss the complaint in its entirety, arguing that the claims were time-barred based on the limitations provision in their engagement letter with Davidson. The critical language in the engagement letter stated:
No action, regardless of form, relating to this engagement, may be brought by either party more than one year after the cause of action has accrued, except that an action for nonpayment may be brought by a party not later than one year following the date of the last payment due to the party bringing such action.
New York law provides that parties to a contract can shorten the statute of limitations, so the plaintiffs did not dispute the validity of the provision shortening the statute of limitations to one year. Instead, the plaintiffs argued that the doctrines of continuous representation and equitable estoppel deferred accrual of the causes of action until Deloitte stopped providing services to the Estate. The plaintiffs, focusing on the services Deloitte provided after Davidson’s death during the administration of the Estate and resolution with the IRS, argued that the claims did not accrue until services stopped in September 2015.
On August 22, 2016, the Supreme Court of the State New York, New York County dismissed all claims against Deloitte, holding that they were time-barred under the one-year limitations provision in Deloitte’s engagement letter. After confirming that New York law permits parties to shorten the limitations period by contract, the Court focused on “accrual” of the claims, since that is the point from which the one-year period is measured under the engagement letter provision.
For the malpractice claim, the Court pointed to the longstanding New York law holding that a malpractice claim against an accountant based on allegedly faulty tax advice accrues at the time the advice is given, which in this case predated Davidson’s death in 2009 − more than six years prior to commencement of the action. The Court also ruled that the representation of the Estate after Davidson’s death did not save the claims through application of the continuous representation doctrine because the provision in the engagement letter expressly barred any tolling. Finally, the Court ruled that equitable estoppel did not apply because Deloitte did nothing to conceal the Estate’s tax problems.
Well-drafted engagement letter provisions that shorten or otherwise limit the
time a client has to commence suit can be strong risk management tools that will be upheld by at least some courts. The strength and enforceability of the provision will vary from state to state, but New York is not unique in holding that these provisions are enforceable.
Shortening the time period to commence a suit to as little as one year is possible.
If your jurisdiction does not measure accrual from the time the services are provided, as it is in New York, adding language measuring the commencement of the contractual limitation period from the time the services are provided is a possible solution, depending on the law in your state.
If drafted properly, the provision can eliminate any tolling or extension of the limitations period based on additional or subsequent services that may be provided.
The purpose of the statute of limitations in the context of professional malpractice is to allow an accounting firm a degree of certainty that past services will not lead to stale complaints in the distant future. Accountants can increase that certainty, limit the future period and protect themselves from stale complaints in the distant future by incorporating a limitation provision into their engagement letters.
For Deloitte, a single sentence in its engagement letter limiting the time period for all claims to one year was worth $500 million.