Massachusetts to Require CGL and PL Coverage for All “Marijuana Establishments”

In regulations finalized just before the March 15, 2018, deadline, the Massachusetts Cannabis Control Commission (CCC) has included a provision requiring the maintenance of liability insurance or an escrow account to cover potential liabilities. This applies to all Marijuana Establishments, which include marijuana cultivators, craft marijuana cooperatives, marijuana product manufacturers, marijuana retailers, independent testing laboratories, marijuana research facilities, marijuana transporters and “any other type of licensed marijuana-related businesses,” except for medical marijuana treatment centers, which are already subject to a comprehensive regulation scheme, including a similar requirement.

Provisions

Under the new regulations, Marijuana Establishments must obtain and maintain general liability coverage with minimum limits of at least $1 million per occurrence and $2 million aggregate, and product liability insurance coverage of $1 million per occurrence and $2 million aggregate, with a maximum deductible of $5,000 per occurrence. 935 CMR 500.105(10)(a).

In the event that a Marijuana Establishment is unable to obtain the required coverage, upon providing documentation of the unavailability of coverage, the requirement may be met by the deposit of $250,000, or some other amount approved by the CCC, into an escrow account. 935 CMR 500.105(10)(b).

Any new applicant will be required to provide a description of its plan to obtain the required insurance coverage or otherwise meet the requirements of this regulation as part of the application process. 935 CMR 101(c)(5).

This insurance requirement is one of several designed to ensure the financial responsibility of marijuana businesses in the Commonwealth, including a requirement that applicants detail the amounts and sources of capital resources available to them, and a requirement that a license applicant provide documentation of a bond or other resources held in an escrow account in an amount sufficient to adequately support the dismantling and winding down of a Marijuana Establishment pursuant to 935 CMR 500.101(1)(a).

Synopsis

The recreational marijuana business regulations were approved on March 9, 2018, after extensive hearings and public input. The regulations must be signed by the Secretary of the Commonwealth and published in the Massachusetts Register, which is expected to take place on March 23, 2018. The regulations become effective upon publication.

Massachusetts voters approved the legalization of recreational marijuana via ballot in November 2016. The CCC plans to begin accepting applications on April 1, 2018, and recreational marijuana sales are expected to begin on July 1, 2018. Existing medical marijuana treatment centers have been given priority for licensure in towns and cities where the number of licenses is limited, see MGL c. 94G, § 5(c), and already will have these coverages in place. However, as applications will be reviewed on a rolling basis, we would expect to see the number of businesses seeking this coverage only increasing.

 

© 2018 Wilson Elser
This post was written by Kara Thorvaldsen of Wilson Elser.

Social Hosts Beware: “One More for the Road?” May Be a Bad Idea

The company was hosting its annual holiday party.  The company had arranged to hold the event that Saturday night in a hotel ballroom.  Moods were festive, especially because the company’s profits were up about 10%.  Because he enjoyed doing it and served as a freelance bartender in his spare time, one of the company’s new sales employees, Tom Collins, was helping to tend bar.

Much of the company’s success that year was attributable to the efforts of Johnny Walker, V.P. of Sales, who, for understandable reasons, was in a celebratory mood.  When he, at about 11 p.m., bellied up to the bar for a fourth round, Tom couldn’t help but notice that Johnny, normally the epitome of self-control, seemed more than a little impaired.  Tom said to Johnny, “Mr. Walker, with all due respect, don’t you think that it may be time to slow down?  In fact, given the hour, I’ll be happy to arrange a ride to take you home.”  Johnny, now irritated, replied “Tom, you make an excellent highball, but I’d be grateful if you’d mind your own business, OK?”  Tom did as he was asked and poured Walker another drink.  With that, Johnny, armed with another scotch and soda, disappeared into the crowd.

The next morning, Tom, to his shock, learned that Johnny had gotten into his Volvo to drive home and promptly collided with another driver.  The other driver, as a result, was seriously injured and remained hospitalized in a coma for about nine months.  He then died.

Candy is dandy, but liquor is quicker, so be careful out there . . .

May an employer with employees in North Carolina, in appropriate circumstances, be held liable for the malfeasance of its employees and, specifically, be held liable as a “social host” because one of its employees served alcohol to a person when the employee knew or should have known that the person was drunk and would soon be driving on public roads and might hurt or kill someone?

Absolutely.  The doctrine of “social host liability” was first declared in North Carolina about 25 years ago.  The North Carolina Supreme Court, in the 1992 case of Hart v. Ivey, ruled that the plaintiffs had stated a valid claim when they alleged that various defendants had been negligent in throwing a party at which beer was served to an 18-year-old, under circumstances in which the defendants knew or should have known that the young man was intoxicated at the time he was served, that he would drive a motor vehicle from the party, and that he was likely to injure someone.

The court wrote that it had not been able to find a North Carolina case dealing with similar facts, but concluded “that the principles of negligence established by our decisions require that we hold that the plaintiffs .  .  . have stated a claim.”  The court emphasized that it was not recognizing a new claim, but was merely applying the established elements of negligence to find that the plaintiffs stated claims recognized by law.

What had the plaintiffs claimed?  Only:

  • That “the defendants served an alcoholic beverage”;
  • To a person they knew or should have known was under the influence of alcohol; and,
  • That the defendants knew that person would shortly thereafter drive an automobile.

The court’s conclusions in Hart, if you think about them, aren’t surprising:

If proof of these allegations were offered into evidence, [then] the jury could find from such evidence that the defendants had done something a reasonable man would not do and were negligent.  The jury could also find that a man of ordinary prudence would have known that such or some similar injurious result was reasonably foreseeable from this negligent conduct.  The jury could find from this that the negligent conduct was the proximate cause of the injury to plaintiffs.

Sadly, the court later had occasion to encounter just such a claim brought by the estate of a man killed by an employee who had attended a party for a retiring supervisor at the home of an officer of the employer.  In the 1995 case of Camalier v. Jeffries, the employer sponsored the party and hired a catering company to help with food and drink service and another company to handle parking arrangements.  The catering company and a company that it hired supplied all of the bartenders at the party.

The employee downed three or four gin and tonics and then decided to leave, and was taken by van to his car.  He then drove his car into an automobile whose driver suffered serious injuries and then died of the injuries about nine months later.  Within two hours after the time of the accident, a blood sample was drawn from the employee showing that his blood-alcohol concentration was well over the legal limit.

In ruling on the case, the North Carolina Supreme Court reiterated the elements of “social-host liability” that it had declared in Hart.  In Camalier, the defendant company and one of its officers dodged liability, but only because the evidence was insufficient to show that they knew or should have known that the employee was hammered when he was served alcohol at the officer’s home.

The court observed that there was no question that the defendant employer and its officer caused alcohol to be served to the employee and knew or should have known that the employee would be driving an automobile after the party.  Thus, the first and third factors set forth in Hart were not in dispute.  But the court also found that the predicted evidence didn’t show that either the employer or the officer knew or should have known that the employee was drunk when he was being served.

The impaired employee who caused injury in Camalier had been served by a vendor hired by the employer rather than by an employee of the defendant employer.  It appears that North Carolina’s appellate courts have not yet held an employer liable as a “social host” based on the actions of an employee, but the circumstances in which a court may do so are not difficult to imagine.  Such liability can arise from an employer-hosted event at a restaurant, country club, pub, or similar establishment.  The location will not matter and a court is likely to find employer liability if there is proof that an employee, under circumstances intended to promote the interests of the employer, served alcohol to a person when the employee, or its representative, knew or should have known that the person was intoxicated and would soon be driving and that a third-party was injured as a result.

The Supreme Court of New Mexico, addressing such an issue, highlighted the principles of employers’ and employees’ liability as “social hosts” where the host purchases liquor and causes it to be served to a guest and, as a result, a third person is injured.  In the 2011 case of Delfino vs. Griffo, employees of a pharmaceutical company, in the course of their employment, entertained a physician’s employee in several restaurants.  The guest consumed considerable alcohol, became very intoxicated, departed in her car, and shortly thereafter caused a fatal accident.

The New Mexico court, discussing liability as a “social host,” observed:

Social hosting need not occur in a home; one may host in a bar or restaurant where the actual delivery of alcoholic beverages to the guests is performed by a licensed server.  Factors that are key to determining whether one is a social host in a public establishment are whether the alleged social host exercised control over the alcohol consumed by the guests; whether the alleged social host convened the gathering for a specific purpose or benefit to the alleged social host, such as promoting business good will; and whether the alleged host intended to act as ‘host’ of the event, meaning arrange for the service of and full payment for all food and beverages served to the guests.

The New Mexico court found, based on the facts of the Delfino case, that the employer was a “social host” for the drunk driver and, in such capacity, the employer could be sued and held liable.

Bring your carrier along for the ride . . .

Employers may consider purchasing general liability insurance to insure them against losses arising from the provision of alcohol by their employees to an intoxicated driver who then causes injury or death.  A typical general liability insurance policy includes a business liability provision that will pay for damages arising from causing or contributing to the intoxication of a third party, so long as the insured entity is not in the business of manufacturing, distributing, selling, or furnishing alcoholic beverages.  Employers can also buy a one-time special event policy if their current insurance doesn’t provide that kind of coverage.

Employers may also try to insulate themselves from “social host” liability by hiring professional caterers or bartenders who maintain such general liability insurance coverage, so that the employer, if it encounters a “social host” liability claim, may at least try to pass the liability to the caterer’s or bartender’s insurance carrier.

Employers should bear in mind, however, if tragedy occurs and litigation ensues, that it is the employer—not the insurance company—that will be sued, and that having insurance does not mean that the employer is immunized from liability.  It means only that the insurance carrier may have to pay if the employer is found liable (or, more likely, if the employer convinces the carrier to pay a pre-trial settlement to enable the employer to avoid an embarrassing lawsuit).  Moreover, a policy’s limits of liability are not always high enough to cover all claims.  The amount of liability can exceed the limits, in which case the employer, if held liable as a “social host,” can, to one degree or another, be on its own to pay a settlement or judgment.

Conclusion

One useful tip for employers who want to celebrate with their employees and host social events at which alcohol is served is to limit the access to alcohol, such as by setting limits on how much or how long alcohol is served at the event.  You can’t mandate good judgment, but you can decide how much temptation you’re willing to pour.

 

© 2017 Ward and Smith, P.A..
This post was written by Grant B. Osborne of Ward and Smith, P.A..
Read more Labor and Employment News on the National Law Review’s Labor and Employment Practice Group page.

Cannabis Prop 65 Liability: Lessons Learned from the Dietary Supplement Industry

The cannabis industry appears to be next on the liability “hit list” under California’s notorious Proposition 65 statute. In June 2017, more than 700 Prop 65 notices were served on California cannabis businesses. Companies in this emerging market should start mitigating risk under Prop 65 now. Fortunately, lessons can be learned from the dietary supplement industry’s expensive Prop 65 battles over the past decade.

California’s Prop 65, also known as the Safe Drinking Water and Toxic Enforcement Act, requires a warning on all products that contain chemicals known to cause cancer or reproductive harm, even in amounts a fraction of what is deemed safe by federal standards. Prop 65 has caused havoc within the dietary supplement and herbal product markets over the past decade, led by a cottage industry of “bounty hunter” attorneys who have weaponized the statute, ostensibly in the public interest but in reality as a lucrative for-profit business. These bounty hunters are now turning their attention to cannabis. Though amendments to the statute were adopted in 2016 for the purpose of reducing this abuse, Prop 65 litigation will continue and cannabis companies must stay vigilant.

Many businesses faced with the necessity of using a Prop 65 warning have no concern with the impact that a warning may have on sales or with consumer confidence in the product. After all, who would look twice at a Prop 65 warning on motor oil or insect repellent? Like the dietary supplement industry before them, however, many cannabis businesses will resist including a warning that the product contains a chemical known to cause cancer or reproductive harm. Many cannabis products rely on the consumers’ belief that the product is harmless and even therapeutic. For many, this will be an important business decision that may give rise to expensive mistakes − a decision should be made with an understanding of the basis for Prop 65 liability and exposure.

What Is Prop 65 and What Does It Require?

Prop 65 was passed by California voters in 1986 after an aggressive lobbying campaign by environmental and public health activists. The stated purpose of Prop 65 was to improve public health. The general consensus, however, is that Prop 65 has placed an undue burden on California businesses while achieving no significant impact on public health over the past 30 years.

As noted above, Prop 65 requires a warning on all products that contain chemicals known to cause cancer or reproductive harm. There are more than 900 such chemicals listed, and marijuana smoke has been included on the list since 2009.

For a warning to be acceptable under Prop 65, it must (1) clearly make known that the chemical involved is known to cause cancer and/or birth defects and/or other reproductive harm and (2) be given in such a way that it will effectively reach the person before he or she is exposed. The warnings must be “clear and reasonable,” meaning that the warning may not be diluted by other language. Various means of communicating the warning are allowed, including product-specific warnings on a posted sign or shelf, warnings on the product label or electronic warnings for internet purchases.

Important Exemptions

There are several important exemptions to Prop 65 that make a warning unnecessary. Businesses with nine or fewer employees are exempt from the statute. There also is an exemption involving chemicals that occur naturally in food. Lead, for example, will be considered naturally occurring only if it “is a natural constituent of a food” and is not added as a result of human activity such as pollution or poor manufacturing processes. The burden is on the company to prove the exemption, however, which is typically time-consuming and expensive.

Another important exemption is provided by “safe harbor” exposure levels for many chemicals on the Prop 65 list, below which no warning is required. The listed chemicals include additives or ingredients in pesticides, food, drugs and common household products. Most food contains at least some level of one or more of these substances. Prop 65 safe-harbor levels, however, are in many cases around 1,000 times lower than levels set by the Food and Drug Administration (FDA), Environmental Protection Agency (EPA) and World Health Organization (WHO). The exposure levels established by Prop 65 are often lower than what occurs naturally in fruits, vegetables, grains and even drinking water.

For example, the Prop 65 limit for lead is 0.5 mcg / day, which is below the amount of lead naturally found in many fruits, vegetables and herbs grown in non-contaminated soil. By comparison, the FDA allows 75 mcg / day and the European Union allows 250 mcg / day for lead. The European Food Safety Authority estimates the average adult consumes around 50 micrograms per day, which is 100 times the Prop 65 limit. It is nearly impossible to manufacture herbal products, including cannabis, without trace amounts of lead. Therefore, despite the “naturally occurring” exemption, discussed above, it can be dangerous to simply assume that an herbal product, including cannabis, complies with safe-harbor levels.

Only about 300 of the more than 900 Prop 65 chemicals have specific safe-harbor levels. For those chemicals without a safe-harbor limit, the burden will be on the cannabis business to establish that the subject chemical is within a safe range. This typically requires expensive testing, the results of which may be open to multiple interpretations as to whether a warning is required.

Determining the Exposure Level

Determination of the “exposure level” also is an important consideration. Prop 65 focuses on the level of a chemical to which the consumer is actually exposed. Although a product may have a very low amount of a chemical on the Prop 65 schedule that is below the safe-harbor level, liability under the statute may nevertheless be triggered based on the recommended serving size. It is advisable for companies to work with a laboratory that specializes in Prop 65 testing to determine the cumulative exposure level in order to verify the recommended serving size.

Enforcement of Prop 65

Prop 65 is enforced through litigation brought by the government or by private attorneys that “act in the public interest.” It is the threat of these private lawsuits that causes such consternation among those targeted with Prop 65 liability. After a 60-day notice period, the attorney may file a civil suit against the offending company. Typically, the plaintiff will demand that the defendant provide warnings compliant with Prop 65, pay a penalty, and either recall products already sold or attempt to provide health hazard warnings to those who purchased the products.

Though purportedly brought in the public interest, it is the collection of penalties and attorneys’ fees that in reality drives this litigation. Prop 65 allows individuals who bring suit to recover 25 percent of the penalties awarded, which by statute is calculated at $2,500 per violation per day. Amendments made to Prop 65 in 2016 allow for certain voluntary actions by the defendant – reformulation of the product, for example – in lieu of penalties. The threat of paying the plaintiff’s attorney’s fees makes litigating Prop 65 cases potentially very expensive. The attorney is incentivized to drag out the litigation, and the longer the case goes on, the more difficult it becomes to resolve because of the mounting fees.

This framework has created a cottage industry of Prop 65 “bounty hunter” lawyers who affiliate with “public interest” organizations that bring these cases for profit. According to the California Attorney General, 760 settlements were reported in 2016 with total settlement payments of more than $30 million. Attorneys’ fees accounted for 72 percent of that amount. The 2016 amendments to the statute have attempted to address these abuses to some extent by requiring a showing that the public benefits derived from the settlement are “significant” and by requiring contemporaneous record keeping for fees and costs sought to be recovered. Prop 65 litigation nevertheless continues to burden many industries in California, now including the cannabis industry. For Prop 65 liability, prevention is certainly less costly than a cure.

 

This post was written by Ian A. Stewart of Wilson Elser © 2017

For more legal analysis go to The National Law Review

Hurricanes and Act of God Defenses

Maritime contracts for services generally include clauses for performance, demurrage, deviation, termination, and suspension. Performance may be affected by an Act of God or Force Majeure clause and event. A typical Force Majeure clause reads as follows:

Except for the duty to make payments hereunder when due, and the indemnification provisions under this Agreement, neither Company nor Contractor shall be responsible to the other for any delay, damage or failure caused by or occasioned by a Force Majeure Event as used in this Agreement. “Force Majeure Event” includes: acts of God, action of the elements, warlike action, insurrection, revolution or civil strife, piracy, civil war or hostile action, strikes, differences with workers, acts of public enemies, federal or state laws, rules and regulations of any governmental authorities having jurisdiction in the premises or of any other group, organization or informal association (whether or not formally recognized as a government); inability to procure material, equipment or necessary labor in the open market acute and unusual labor or material or equipment shortages, or any other causes (except financial) beyond the control of either Party. Delays due to the above causes, or any of them, shall not be deemed to be a breach of or failure to perform under this Agreement.

A. Act of God

Act of God or Force Majeure is a defense to many contractual obligations, including performance, deviation, and demurrage. It may also be the basis to suspend or terminate a maritime agreement for cause. It is defined as an abnormal natural event that is overwhelming and cannot be forestalled nor controlled. Skandia Ins. Co., Ltd. V. Star Shipping, AS, 173 F.Supp. 2d 1228 (S.D. Ala. 2001) (Hurricane Georges cargo claim). It is also a defense to certain tort claims like collisions and allisions occurring during a storm. Petition of U.S., Heide Shipping & Trading v. S.S. Joseph Lykes, 425 F.2d 991 (5th Cir. 1970) (vessel break-away in Hurricane Betsy).

When plead, a party must demonstrate that it was prudent in predicting and attempting to avoid the impact of the overwhelming and unexpected natural event and took reasonable precautions under the circumstances. A failure to perform or third party tort damages are not subject to an Act of God defense if the failure results from human agency, neglect or an unseaworthy condition. Compania DeVapores Ins. Co., SA v. Mo-Pac R.R. Co., 232 F.2d 657 (5th Cir. 1985) (cargo claim for failure to take reasonable steps to guard against wind storm).

Following Hurricane Katrina, the U.S. District Court for the Eastern District of Louisiana held that a category 4 or 5 hurricane was an Act of God sufficient to bar a tort claim by a marina owner against the owner of a vessel that broke away from her berth, drifted and hit another vessel. The defense of Act of God applied because, 1) the accident was due exclusively to abnormal natural events without human interest, and (2) there was no intervening negligent behavior by the vessel owner. J.W. Stone Oil Dist., LLC v. Bollinger Shipyard, 2007 WL 2710809 (E.D. La. 2007). Judge Lemmon held in Stone Oil that hurricanes are considered as a matter of law to be an Act of God and defensible unless there is an intervening and contributing act of individual negligence. This obligation includes taking reasonable precautions based upon all available information.

In Simmons v. Lexington Ins. Co., 2010 WL 1254638 (E.D. La. 2010), aff’d., 401 Fed. Appx. 903 (5th Cir. 2010), J),  the courts similarly considered whether reasonable precautions had been taken by a marina to protect a sailboat during Hurricane Katrina under both Louisiana and maritime law. The Court reviewed other Katrina cases, including Conagra Trade Group, Inc. v. AEP Memco, LLC, 2009 WL 2023174 (E.D. La. 2009), and Coex Coffee Int’l., Inc. v. Dupuy Storage & Forwarding, LLC, 2008 WL 1884041 (E.D. La. 2008). (Katrina’s unprecedented flooding and devastation was an Act of God defense.) In Conagra, supra, Judge Fallon was asked to review a contract of affreightment for a cargo of wheat aboard a barge that sunk. Memco was found not negligent in delivering its barge of cargo to an affected berth several days before the weather forecast accurately predicted the landfall of Katrina.

In re S.S. Winged Arrow, 425 F.2d 991 (5th Cir. 1970), affirmed that where a vessel had been sufficiently moored based upon the anticipated path of Hurricane Betsy, the Act of God defense applied to relieve its owner of  tort damages resulting from its breakaway. From a review of the case law involving severe weather events, it is apparent that Act of God defenses will be granted as a defense to both third party tort claims and also contractual claims for failure to perform where reasonable decisions and precautionsunder the circumstances have been made.

B. Performance Clauses

Clauses for demurrage, detention or laytime usually involve delays in the loading or unloading of cargo or the delivery of goods and materials. Laytime is the period of time allowed for loading and unloading. Demurrage and detention are sums paid to compensate for time lost related to the delivery of equipment or cargo. Demurrage begins to run after the passage of laytime or the agreed time of delivery and performance. Damages are awarded for failure to perform. Deviation is an obligation to maintain a proper course in ordinary trade and to timely arrive at the agreed destination. All deviation clauses are subject to certain liberties. Any deviation may affect insurance and hire.

Typically a contract for maritime services can be terminated for cause or for convenience. Similarly, parties may negotiate terms to suspend performance, which would suspend payment of hire and performance of services. A suspension clause is typically an off-hire clause where the contract terms remain but no hire is paid. Usually a vessel owner will be compensated and reimbursed for certain additional expenses if a contract is terminated for convenience. An Act of God clause excuses delays in performance, but in most cases serves to either suspend performance or terminate the contract for cause as between the parties.

Similar defenses are also statutorily allowed under COGSA. Under the COGSA “perils of the sea” defense, a carrier and vessel are not liable for cargo damage proximately caused by an Act of God where the carrier is not independently negligent and its vessel seaworthy when confronted with an unexpected and abnormal event of nature. 46 USC 1304(2) (c) & (d) ; J.Gerber & Co. v S/S SABINE HOWALDT 437 F.2d. 580 (2nd Cir. 1971); Taisho Marine & Fire Ins. Co. v. Sea-Land ENDURANCE 815 F. 2d. (9th Cir. 1270).

C. Conclusion

The purpose of an Act of God clause in a contract or asserted as a defense to a maritime tort is to relieve a defendant from liability for performance and damages where there was an extreme natural event. Whether a particular storm or natural event is considered an ACT OF GOD is a question of fact. The factors to be considered in accessing an ACT OF GOD/FORCE MAJEURE include the intensity of the natural event and whether the conditions would normally be expected. In order to avail oneself of the ACT OF GOD defense a defendant must show a causal connection between the loss and the peril as well as defendant’s freedom from fault.

This post was written by Grady S. Hurley of Jones Walker LLP © 2017

For more legal analysis go to The National Law Review

Third-Party Aspects of Cybersecurity Protections: Beyond your reach but within your control

Data privacy and cybersecurity issues are ongoing concerns for companies in today’s world.  It is nothing new to hear.  By now, every company is aware of the existence of cybersecurity threats and the need to try to protect itself.  There are almost daily reports of data breaches and/or ransomware attacks.  Companies spend substantial resources to try to ensure the security of their confidential information, as well as the personal and confidential information of their customers, employees and business partners.  As part of those efforts, companies are faced with managing and understanding their various legal and regulatory obligations governing the protection, disclosure and/or sharing of data – depending on their specific industry and the type of data they handle – as well as meeting the expectations of their customers to avoid reputational harm.

Despite the many steps involved in developing wide-ranging cybersecurity protocols – such as establishing a security incident response plan, designating someone to be responsible for cybersecurity and data privacy, training and retraining employees, and requiring passwords to be changed regularly – it is not enough merely to manage risks internal to the company.  Companies are subject to third-party factors not within their immediate control, in particular vendors and employee BYOD (Bring Your Own Device).  If those cybersecurity challenges are not afforded sufficient oversight, they will expose a company to significant risks that will undo all of the company’s hard work trying to secure and defend its data from unauthorized disclosures or cyberattacks.  Although companies may afford some consideration to vendor management and BYOD policies, absent rigorous follow up, a company may too easily leave a gaping hole in its cybersecurity protections.

VENDORS

To accomplish business functions and objectives and to improve services, companies regularly rely on third-party service providers and vendors.  To that end, vendors may get access to and get control over confidential or personal information to perform the contracted services.  That information may belong to the company, employees of the company, the clients of the company and/or business partners of the company.

When information is placed into the hands of a vendor and/or onto its computer systems, stored in its facilities, or handled by its employees or business partners, the information is subject to unknown risks based on what could happen to the information while with the third-party.  The possibility of a security breach or the unauthorized use or access to the information still exists but a company cannot be sure what the vendor will do to protect against or address those dangers if they arise.  A company cannot rely on its vendors to maintain necessary security protocols and instead must be vigilant by exercising reasonable due diligence over its vendors and instituting appropriate protections.  To achieve this task, a company needs to consider the type of information involved, the level of protection required, the risks at issue and how those risks can be managed and mitigated.

Due Diligence

A company must perform due diligence over the vendor and the services to be provided and should consider, among other things, supplying a questionnaire to the vendor to answer a host of cybersecurity related questions including:

> What services will the vendor provide?  Gain an understanding of the services being provided by the vendor, including whether the vendor only gains access to, or actually takes possession of, any information.  There is an important difference between a vendor (i) having access to a company’s network to implement a third-party solution or provide a thirdparty service and (ii) taking possession of and/or storing information on its network or even the network of its own third-party vendors.

> Who will have access to the information?  A company should know who at the vendor will have access to the information.  Which employees?  Will the vendor need assistance from other third-parties to provide the contracted-for services?  Does the vendor perform background checks of its employees?  Do protocols exist to prevent employees who are not authorized from having access to the information?

> What security controls does the vendor have in place?  A company should review the vendor’s controls and procedures to make sure they comply not only with applicable legal and regulatory requirements but also with the company’s own standards.  Does the vendor have the financial wherewithal to manage cybersecurity risks?  Does the vendor have cybersecurity insurance?  Does the vendor have a security incident response plan?  To what extent has the vendor trained with or used the plan?  Has the vendor suffered a cyberattack?  If so, it actually may be a good thing depending on how the vendor responded to the attack and what, if anything, it did to improve its security following the attack.  What training is in place for the vendor’s employees?  How is the vendor monitoring itself to ensure compliance with its own procedures?

The Contract

A company should seek to include strong contractual language to obligate the vendor to exercise its own cybersecurity management and to cooperate with the company to ensure protection of the company’s data.  There are multiple provisions to consider when engaging vendors and drafting or updating contracts to afford the company appropriate protections.  A one-size-fits-all approach for vendors will not work and clauses will need to be modified to take account of, among other things:

 > The sensitivity of the information at issue – Does the information include only strictly confidential information, such as trade secrets or news of a potential merger?  Does the information include personal information, such as names, signatures, addresses, email addresses, or telephone numbers?  Does the information include what is considered more highly sensitive personal information, such as SSNs, financial account information, credit card information, tax information, or medical data?

> The standard of care and obligations for the treatment of information – A company should want its vendors to meet the same standards the company demands of itself.  Vendors should be required to acknowledge that they will have access to or will take possession of information and that they will use reasonable care to perform their services, including the collection, access, use, storage, disposal, transmission and disclosure of information, as applicable.  This can, and often should, include: limiting access to only necessary employees; securing business facilities, data centers, paper files, servers and back-up systems; implementing database security protocols, including authentication and access controls; encrypting highly sensitive personal information; and providing privacy security training to employees.  Contracts also should provide that vendors are responsible for any unauthorized receipt, transmission, storage, disposal, use, or disclosure of information, including the actions and/or omissions of their employees and/or relevant third-parties who the vendors retain.

> Expectations in the event of a security breach at the company – A company should include a provision requiring a vendor’s reasonable cooperation if the company experiences a breach.  A company should have a contact at each of its vendors, who is available 24/7 to help resolve a security breach.  Compliance with a company’s own obligations to deal with a breach (including notification or remediation) could be delayed if a vendor refuses to timely provide necessary information or copies of relevant documents.  A company also can negotiate to include an indemnification provision requiring a vendor to reimburse the company for reasonable costs incurred in responding to and mitigating damages caused by any security breach related to the work performed by the vendor.

> Expectations in the event of a security breach at the vendor – A company should demand reasonable notification if the vendor experiences a security breach and require the vendor to take reasonable steps and use best efforts to remediate the breach and to try to prevent future breaches.  A company should negotiate for a provision permitting the company to audit the vendor’s security procedures and perhaps even to physically inspect the vendor’s servers and data storage facilities if the data at issue is particularly sensitive.

Monitoring

Due diligence and contractual provisions are necessary steps in managing the cybersecurity risks that a vendor presents, but absent consistent and proactive monitoring of the vendor relationship, including periodic audits and updates to vendor contracts, all prior efforts to protect the company in this respect will be undermined.  Determining who within the company is responsible for the relationship  – HR? Procurement? Legal? – is critical to help manage the vendor relationship.

> Schedule annual or semi-annual reviews of the vendor relationship –  A company not only should confirm that the vendor is following its cybersecurity protocols but also should inquire if any material changes to those protocols have been instituted that impact the manner in which the vendor handles the company’s data.  Depending on the level of sensitivity of the data being handled by the vendor, a company may consider retaining a third-party reviewer to evaluate the vendor.

> Update the vendor contract, as necessary – A company employee should be responsible to review vendor contracts annually to determine if any changes are necessary in view of cybersecurity concerns.

BYOD

Ransomware – where a hacker demands a ransom to unencrypt a company’s data caused by malicious software that the hacker deposited onto the company’s network to hold it hostage – certainly is a heightened concern for all companies.  It is the fastest growing malware targeting all industries, with more than 50% growth in recent years.  Every company is wary of ransomware and is trying to do as much as possible to protect itself from hackers.  The best practices against ransomware are to (i) periodically train and retrain your employees to be on the lookout for ransomware; (ii) constantly backup you data systems; and (iii) split up the locations where data is maintained to limit the damage in the event some servers fall victim to ransomware.  One thing that easily is overlooked, however, or is afforded more limited consideration, is a company’s BYOD policy and enforcement of that policy.

Permitting a company’s employees to use their own personal electronic devices to work remotely will lower overhead costs and improve efficiency but will bring a host of security and compliance concerns.  The cybersecurity and privacy protocols that the company established and vigorously pursues inside the company must also be followed by its employees when using their personal devices – home computers, tablets, smartphones – outside the company.  Employees likely are more interested, however, in the ease of access to work remotely than in ensuring that proper cybersecurity measures are followed with respect to their personal devices.  Are the employees using sophisticated passwords on their personal devices or any passwords at all?  Do the employees’ personal devices have automatic locks?  Are the employees using the most current software and installing security updates?

These concerns are real.  In May of 2017, the Wannacry ransomware attack infected more than 200,000 computers in over 100 countries, incapacitating companies and hospitals.  Hackers took advantage of the failure to install a patch to Microsoft Windows, which Microsoft had issued weeks earlier.  Even worse, it was discovered that some infected computers were using outdated versions of Microsoft Windows for which the patch would not have worked regardless.  Companies cannot risk pouring significant resources into establishing a comprehensive security program only to suffer a ransomware attack or otherwise to have its efforts undercut by an employee working remotely who failed to install appropriate security protocols on his/her personal devices.

The dangers to be wary of include, among others: > Personal devices may not automatically lock or have a timeout function. > Employees may not use sophisticated passwords to protect their personal devices. > Employees may use unsecured Wi-Fi hotspots to access the company’s systems, subjecting the company to heightened risk. > Employees may access the company’s systems using outdated software that is vulnerable to cyberattacks.

Combatting the Dangers

To address the added risks that accompany allowing BYOD, a company must develop, disseminate and institute a comprehensive BYOD policy.  That policy should identify the necessary security protocols that the employee must follow to use a personal device to work remotely, including, among other things:

 > Sophisticated passwords

> Automatic locks

> Encryption of data

> Installation of updated software and security apps

> Remote access from secure WiFi only

> Reporting procedures for lost/stolen devices

A company also should use mobile device management technology to permit the company to remotely access the personal devices of its employees to install any necessary software updates or to limit access to company systems.  Of course, the employee must be given notice that the company may use such technology and the capabilities of that technology.  Among other things, mobile device management technology can:

> Create a virtual partition separating work data and personal data

> Limit an employee’s access to work data

> Allow a company to push security updates onto an employee’s personal device

Enforcement

Similar to vendor management, the cybersecurity efforts undertaken by having a robust BYOD policy in place, or even using mobile management technology, are significantly weakened unless a company enforces the policy it has instituted.

> A BYOD policy should be a prominent part of any employee cybersecurity training.

> The company should inform the employee of the company’s right to access/monitor/delete information from an employee’s personal device in the event of, among other things, litigation and e-discovery requests, internal investigations, or the employee’s termination.

CONCLUSION

Implementing the above recommendations will not guarantee a company will not suffer a breach but will stem the threats created by third-party aspects of its cybersecurity program.  Even if a company ultimately suffers a breach, having had these protections in place to administer the risks associated with vendor management and BYOD certainly will help safeguard the company from the scrutiny of regulators or the criticism of their customers, which would be worse!

This post was written byJoseph B. Shumofsky of  Sills Cummis & Gross P.C.
More legal analysis at The National Law Review.

Uber-Complicated: Insurance Gaps for Rideshare Vehicles Can Create Uncertainty for Passengers and Drivers

Many of us have come to enjoy the convenience of summoning a ride via our Smartphones with a rideshare service company such as Uber, Lyft, or Sidecar.  However, significant issues exist over whether rideshare vehicles have adequate insurance coverage to compensate people injured in accidents involving those vehicles.

If one is injured by a Greyhound bus, for example, there is little question that Greyhound likely would have adequate insurance to cover any injuries and likely would have sufficient resources to compensate the injured party even without insurance.

By contrast, if one is injured by a rideshare driver, there are several potential obstacles to securing adequate compensation.

First, the rideshare company may classify the driver as an independent contractor instead of an employee, meaning that the company will not accept responsibility for the driver’s actions.  Second, even if the rideshare company accepts responsibility, the company’s insurance may not provide coverage, as discussed below.  In that event, the injured party is left to rely on the driver’s insurance, which also may be inadequate and may even exclude coverage for rideshare-related accidents.

The independent contractor issue has been litigated in numerous states with different outcomes.  Uber currently is facing two class action lawsuits in California related to this issue: Ghazi v. Uber Technologies, Inc., et al., No. CGC-15-545532 (Superior Court of California, County of San Francisco) and O’Connor v. Uber Technologies, Inc., et al., No. CV-13-3826 (U.S. District Court for the Northern District of California).[1]

Even if rideshare companies accept responsibility for a driver’s conduct, the companies typically have provided only limited insurance for their drivers.  Specifically, rideshare companies typically have not provided coverage in the following two periods: (1) when the rideshare app is turned off, or (2) when the app is turned on but no passenger is in the vehicle.

But, a horrific accident involving an Uber vehicle helped to start changing this dynamic.  Uber was sued in 2014 in California after a driver struck and killed a child during period (2) above, when he had his app turned on but had not yet picked up a passenger.  The case is captioned Liu v. Uber Technologies Inc., et al., No. CGC-14-536979 (Superior Court of the State of California, County of San Francisco).

California and other states recently have started requiring rideshare companies to maintain some coverage for their drivers in period (2), but that coverage is limited.  The companies typically provide contingent liability coverage with $50,000 per person/$100,000 per accident bodily injury coverage, but this insurance typically pays only for losses not covered by the driver’s personal policy.

And, even when rideshare company coverage is in place, insurers have relied on certain insurance policy exclusions in an effort to avoid paying claims.  One insurer is currently making such arguments in the coverage dispute with Uber over the Liu settlement See Evanston Insurance Co. v. Uber Technologies, Inc., No. C15-03988 WHA (U.S. District Court for the Northern District of California).

If a rideshare company’s commercial insurance is inadequate to fully compensate an injured party, that person is left to rely on a driver’s personal insurance.  But the driver’s insurance may be of no help because personal auto policies often contain an exclusion (the “livery exclusion”) for accidents occurring during commercial use of the vehicle, such as when a driver is transporting a passenger for hire.

Recently, there has been some effort in the insurance industry to close the insurance gaps discussed above, particularly during period (2), when a rideshare driver is using a mobile app but has not yet picked up a passenger.

In March 2015, the National Association of Insurance Commissioners adopted a white paper on insurance coverage for rideshare companies titled “Transportation Network Company Insurance Principles for Legislators and Regulators.”  The paper recommends that rideshare companies provide full coverage for period (2) or that drivers purchase individual commercial coverage during that period.

Similar to California, legislatures in Colorado, Illinois, and Virginia have passed laws requiring rideshare companies to offer full insurance during period (2).

In addition, some insurance companies are offering products to rideshare drivers to protect them in the event that rideshare companies’ commercial insurance does not pay.  For example, Geico (in Maryland and Virginia) and Progressive (in Pennsylvania) are offering individual commercial insurance to rideshare drivers that has lower rates than most commercial insurance.  USAA (in Colorado and Texas) offers a commercial insurance policy to rideshare drivers for an extra $6 to $8 per month.  Erie Insurance (in Illinois and Indiana) has removed an exclusion from personal auto policies purchased with a “business use” designation such that rideshare drivers now may be covered.

Overall, many options are emerging to provide additional insurance coverage on rideshare vehicles for the benefit of passengers and other third parties at all stages of the transportation process – from the time a rideshare driver turns on the app through the transport of a passenger.  Passengers, drivers, and affected third parties should continue to monitor these developments to make sure they are adequately protected.

© 2016 Gilbert LLP

[1] One consequence of the driver being classified as an independent contractor is that rideshare companies do not have to provide worker’s compensation insurance for a driver’s on-the-job injuries.  The Ghazi case addresses whether Uber drivers actually are employees and thus Uber must provide worker’s compensation insurance.

Holiday Party Checklist—Plan Ahead to Minimize Employer Risks

Delicious food, fine wines, music, camaraderie, laughter – all ingredients for a great holiday get-together.  What could go wrong?  Too much, unfortunately.  Employees may drink too much, act inappropriately, offend co-workers or guests, hurt themselves or others, or even start a brawl. Depending on the circumstances, your company may find itself potentially liable for the inappropriate or unlawful actions of your employees at company-sponsored parties.  You can help minimize the risks associated with holiday parties by following these five tips.

  • Avoid or Limit Alcohol

Employers face potential liability when providing alcohol at a company holiday event when someone gets hurt due to drunk driving, falling down, etc., or when inappropriate behavior crosses the line from embarrassing to unlawful, such as sexual harassment or violence during an argument.  You can limit your company’s exposure for such conduct by either banning alcohol entirely (we know that may not be well-received in some situations), or limiting each person’s consumption through the use of drink tickets or a 2-drink limit.  If you choose to allow alcohol at your events, don’t allow free access to the alcohol (e.g., open bar, self-serve beer or unlimited wine bottles).  Instead have a professional, licensed bartender serve the alcohol as they are trained not to over-serve patrons.  Be sure to offer plenty of food and non-alcoholic beverages.  Arrange for taxis or hotel stays if someone over-indulges.  Schedule the event during the week so folks are less inclined to get carried away. Set an end time for the party and shut down the bar at least a half hour before the event closes.  Do not authorize or condone “after parties.” Finally, designate some supervisors or managers to refrain from drinking alcohol to make sure things don’t get out of hand.

  • Keep Harassing Behavior in Check

Make sure that your sexual harassment policy is up-to-date and that it applies to company parties, even if held off company premises.  Send out a reminder to employees in advance of the party that all company policies, including those prohibiting harassment and other inappropriate conduct, apply to the party. Consider making the event a family party where employees may bring their spouse, significant other, or children as the presence of family members and children often deters inappropriate behavior which could give rise to a harassment complaint.  Make sure that supervisors and managers watch out for potentially harassing conduct and are trained to intervene as necessary.

  • Respect Religious Differences and Keep the Party Neutral 

Although many holidays toward the end of the year are religious in nature, be sensitive to your employees’ varying religious beliefs and avoid any conduct that could be construed as favoring one religious group over another.  Refrain from calling your party a “Christmas Party” and stick with the neutral “Holiday Party” instead.  Do not make attendance at the company-sponsored events such as parties, volunteer activities, food drives or other holiday outings mandatory.  Make sure the timing of the company party does not exclude any employees for religious reasons.  For example, because the Jewish Sabbath starts on Friday night, a party on a Friday evening may exclude Jewish employees.  Avoid decorating with religious symbols, such as nativity scenes, menorahs or angels.  There are plenty of neutral decorations, such as snowflakes, holly and reindeer, that can be used instead.

  • Be Wary of Gift Exchanges

Gift exchanges between employees may seem innocuous enough, but consider the potential issues a gift exchange may cause.  Employees may not be able to afford to participate, even within a recommended cost guideline.  Other employees may give sexy or “funny” gifts that end up offending others.  The best practice is to avoid a company or department sponsored gift exchange altogether.  If you decide to allow one among your employees, make sure it is entirely voluntary and no one is pressured or made to feel uncomfortable for not participating.  Set cost guidelines and remind participants that gifts must be appropriate for the workplace.

  • Remember Wage and Hour Laws

If you assign any non-exempt employees to plan, prepare for and staff the party, their hours are likely work hours for which they must be paid.  For example, if your office receptionist is required to be at the door of your holiday party to greet guests and hand out name tags, that individual is likely working and you need to include those hours in his or her weekly work hours when determining regular and overtime wages.  You do not need to pay employees who are attending the party if their attendance is voluntary and they are not expected to provide services that benefit your organization.

Follow this checklist and you’ll avoid last minute holiday headaches and keep your organization out of trouble.

Copyright Holland & Hart LLP 1995-2015.

Office Romances: 3-Part Series on How to Shield Your Company from Liability Part 3

GT Law

 

According to a recent CareerBuilder survey, four in ten people admitted to dating a co-worker, and one-third eventually married that person.  Whether a relationship between peers, relationships between supervisors/subordinates, flings, long-term relationships, or extramarital affairs, office romances can lead to unwelcome complaints and expensive lawsuits.

Part 1 of this three-part series addressed the potential risks that office romances pose to companies, and Part 2 covered the importance of adopting and enforcing a company policy addressing fraternization.  This final installment offers recommended steps you should take now to defend potential claims of discrimination and harassment.

Tips for Employers

Employers should prepare and implement a clear policy regarding office relationships or update an existing one, and be sure to disseminate it and obtain employees’ acknowledgements.   The policy should address to extent to which office relationships are permissible, and, if appropriate, require employees to promptly disclose the existence (or termination) of a romantic or sexual relationship to a designated member of Human Resources or management. When the employees involved are in a supervisor/subordinate relationship, disclosure is especially critical so that the employer may effectively address the impact of the relationship (e.g., evaluating if it is necessary to change job duties or reassign the employee(s)).

If harassment occurs despite an employer’s best efforts to prevent and stop it, you will have a strong defense if you can demonstrate that you have done the following:

  • Implement and enforce a sexual harassment and office romance policy that provides a clear reporting channel and prohibits retaliation for good faith complaints.
  • Respect employees’ reasonable expectations of privacy regarding their relationship in line with the company policies.
  • Train new and existing employees on the sexual harassment policy and document the training.
  • Train managers on what constitutes sexual harassment and how to handle complaints.
  • Train employees to report inappropriate behavior.
  • If a relationship develops between a manager and his/her subordinate, transfer one of them if possible to eliminate a direct reporting relationship.
  • Promptly and thoroughly investigate complaints.
  • Take appropriate corrective action to address prior incidents of sexual harassment.

Regardless of the type of policy your company adopts, be sure to customize it to the needs and actual practices of your business.  Train employees and managers on expectations governing office romances.  A well-drafted and uniformly enforced fraternization (or non-fraternization) policy will not prevent workplace relationships altogether, but it can protect you if you encounter office romances.

See Part 1 Here

See Part 2 Here 

Article by:

Mona M. Stone

Of:

Greenberg Traurig, LLP