In this inaugural episode of LAN Party Lawyers, Carlton Fields attorneys Steve Blickensderfer and Nick Brown discuss the increasingly popular phenomenon of including loot boxes in digital games. They also examine the growing concerns about loot boxes by regulators around the world and debate whether loot boxes should be considered a form of gambling.
Startup Resources
Expand your knowledge with articles, interviews, and updates that offer perspectives on entrepreneurship and the issues that impact your business.
Crowdfunding Cybersecurity Entrepreneurship HR & Employment Immigration Innovation Insurance Intellectual Property International Media & Entertainment Securities
U.S. Immigration Policy and Procedural Changes Impacting Foreign Students (Webinar)
This presentation is a three-part series on the procedural and policy changes issued by the various U.S. agencies governing legal immigration, and the impact of these changes on foreign students in the U.S. with student, scholar or trainee visas such as F, M or J, as well as their spouses and dependents.
Immigration Senior Counsel Maria Mejia-Opaciuch provides practical tips and insight into how these changes could impact future green card or residence applications via family- or employment-based petitions.
Custom Software Development: Practical Strategies to Get What You Pay For (Webinar)
A company’s custom software is an increasingly important part of growing profitability, shrinking expenses, and reaching new markets. It is critical to corporate success or failure. Software deals and licensing models are evolving as quickly as the technology, becoming more complicated and costly. Companies that do not understand the current trends and common pitfalls when negotiating software contracts may find themselves facing unexpected and unnecessary expenses and litigation. In this webinar, Carlton Fields Shareholders Eleanor Yost and Jack Clabby sit down with Michael Ritchie to discuss best practices for scoping and negotiating custom software and IT agreements.
The SEC Addresses Initial Coin Offerings
On July 25, 2017, the Securities and Exchange Commission (SEC) issued a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act of 1934 (Report) [1] and an Investor Bulletin: Initial Coin Offerings (Bulletin) [2] finally weighing in on whether virtual coins or digital tokens created and disseminated using distributed ledger or blockchain technology may be “securities” under the federal securities laws.
The answer? Maybe, depending on the facts and circumstances.
Virtual Currencies, Initial Coin Offerings, and Tokens – What are They?
Recently, the sale of blockchain-based tokens through initial coin offerings (ICOs) has become an increasingly popular financing technique used by companies to raise capital to fund the development of a digital platform, software, or other project. The sale of such tokens through ICOs has been made possible through the rapid popularization of blockchain technology, the cryptographically-secured, distributed ledger that underpins virtual currencies such as bitcoin and ethereum.
Although the mechanics of ICOs may vary, one popular method of conducting a token sale is to utilize ethereum’s ERC-20 token standard, and issue such tokens through a smart contract deployed to the ethereum blockchain. In this example, individuals may participate in an ICO by sending a certain amount of ether (the token used to transact on the native ethereum blockchain, also known as ETH) to a smart contract. In turn, the smart contract will send a corresponding amount of tokens to the wallet that initiated the transaction. Thus, at the conclusion of the ICO, the company that created the token and deployed the smart contract will likely have received ether in exchange for its own token. Similarly, users who sent ether to the smart contract will typically receive tokens, which may have a number of potential uses.
Tokens purchased through an ICO may be used to, among other things, access the platform, use the software, or otherwise participate in the project. Other tokens may function to confer certain rights on the token holder, such as ownership rights, the right to share in a portion of the organization’s profits, or the right to vote on how the organization should conduct itself.
Tokens are generally fungible. After their issuance they may be sent to other persons in a manner similar to the way ether is transacted between users. Leveraging the same benefits of blockchain technology enjoyed by other virtual currencies, token transactions are recorded on the blockchain, which, through the power of complex mathematics and cryptography, functions as a reliable transaction ledger with verifiably accurate entries.
To provide a medium for the exchange of virtual coins or digital tokens after they have been issued, platforms have developed as a secondary market for trading them. These platforms, known as virtual currency exchanges, consist of persons or entities that exchange virtual currency for a fiat currency (e.g., an underlying physical currency, such as dollars), funds, or other virtual currency. The virtual currency exchanges generally receive a fee for these exchange services.
As a result of the infrastructure described above, the use of virtual coins and digital tokens is becoming a popular method to exchange and store value, manage and exercise ownership rights, and administrate other functions. However, depending on the specific attributes of a given token, it may be considered a security under U.S. law, and therefore subject the issuer to applicable laws and regulations.
Are Virtual Coins and Digital Tokens “Securities” Under U.S. Securities Laws?
Investment Contracts are Securities. Under the federal securities laws, a security is defined to include not only the typical types of instruments that everyone understands to be a security (e.g., stocks, bonds, notes, etc.), but also “investment contracts.” [3] In the seminal case of SEC v. W.J. Howey [4], the Supreme Court defined an investment contract as:
- an investment of money;
- in a common enterprise;
- with a reasonable expectation of profits;
- to be derived from the entrepreneurial or managerial efforts of others.
The SEC will apply this test to determine whether virtual coin or digital token offerings involve the offer and sale of securities subject to the federal securities laws. The first three prongs of the test generally are easy to apply, especially when the marketing materials or white papers for the offering espouse the benefits of investing in the tokens. However, applying the fourth prong of this test can be problematic and will depend significantly on the specific facts and circumstances of the offering, the function of the token, and the operation of the underlying enterprise.
California Federal Court Allows Indirect Purchasers of Securities to Sue Issuers for Fraud Under California Statute – Colman v. Theranos, Inc.
A federal magistrate judge in California has allowed a securities fraud suit against a late-stage private company to proceed despite the plaintiff investors holding a security interest only through intermediary, single-purpose investment funds. The opinion in Colman v. Theranos, Inc., 16-cv-06822-NC (N.D. Cal) (Apr. 18, 2017), offers several important lessons for pre-IPO companies and securities practitioners doing business in California.
Theranos, Inc. is a privately held life sciences company that touted how its proprietary technology allowed pharmacies to run highly accurate tests from just a few drops of blood. According to the complaint, beginning in 2013 the company engaged in an extensive advertising campaign, raised over $700 million from private individual and fund investors, and won a significant contract with Walgreens.
Plaintiffs made their investments in Theranos indirectly, by buying security interests in investment funds that were set up for the sole purpose of making a direct investment in Theranos shares. In October 2015, the Wall Street Journal published an article questioning the viability of Theranos’ technology. By July 2016, the Center for Medicare and Medicaid Services imposed significant sanctions on Theranos and, by that fall, Walgreens had sued Theranos for breach of contract.
Alleging that their investments were now worthless, plaintiffs brought an action for securities fraud under the California Corporations Code and the common law on behalf of all individuals and entities who directly or indirectly purchased Theranos securities. Plaintiffs sued the company, its founder and CEO Elizabeth Holmes, and its former president and chief operating officer Ramesh Balwani. Defendants moved to dismiss.
Defendants argued that plaintiffs could not bring a cause of action under California Corporation Code section 25400(d) and 25500, which together provide a private right of action for false or misleading statements made to induce the purchase or sale of a security, because plaintiffs did not purchase securities directly from Theranos.
In an April 18, 2017 opinion, U.S. Magistrate Judge Nathanael M. Cousins denied the motion in this respect, holding that “the purpose of Section 25400(d) is [to] prevent the manipulation of the market by fraud, and it focuses on the actions of the seller of the securities, not the relationship between the seller and buyer.” Further, the court explained that neither section requires plaintiffs to prove reliance on defendants’ misrepresentations. However, the court did acknowledge that the reach of these provisions are not unlimited and that the plaintiffs still must prove the defendants’ intent to induce the purchase of securities through the misleading statements. As a result, this would limit a cause of action to purchasers who are reasonably foreseeable.
The court further stated that liability is not limited to the corporate entity but extends to “any person who makes false or misleading statements.” Thus, Theranos’ corporate officers alleged to have made misleading statements on behalf of the company for the purpose of inducing purchases of Theranos stock were held to be proper defendants.
In ruling on other portions of the motion, the court dismissed the count under Sections 25401 and 25501 which extends liability to certain negligent conduct because those provisions, in contrast to 25400(d) and 25500, focus on the relationship between the parties and by their terms required privity between seller defendant and purchaser plaintiff. The court refused to dismiss the remaining fraud counts, holding that reliance was adequately alleged because the complaint stated that each plaintiff relied on newspaper articles quoting Theranos’ officers that “were part of the advertising campaign touting Theranos’ technology.”
The decision has significant implications for growing private companies in the technology sector in California, many of which reside in Silicon Valley or Silicon Beach or seek to raise funds in those areas.
The named plaintiffs each invested in an intermediary that was specially-built for the investment in Theranos, and the intermediary itself held the securities. This arrangement has become common for California late-stage private companies, particularly in the technology industry. This decision should caution issuers and their counsel in pre-IPO offerings to consider taking steps to limit the reasonably foreseeable purchasers by better reflecting and enforcing the transfer restrictions on the shares. Additionally, the issuer should take additional steps to inform the investing intermediaries that any further sale or securitization of these shares are prohibited and will be null and void.
Intermediaries themselves should also proceed with caution. The court addressed this as a postscript, requiring additional briefing on the subject of whether adding the intermediaries as “necessary parties” under Rule 19 would disturb venue.
Lastly, it is surprising how little analysis was given to the alleged false statements. The securities laws typically distinguish between corporate advertising to consumers and statements intended to solicit an investment. In this case, the basis for the alleged false statements was the “advertising campaign,” which could have been interpreted as designed to persuade consumers to use Theranos’ products and to win additional wholesale business through new contracts with pharmacies, rather than to solicit investments. But the court accepted plaintiffs’ allegations that statements made in the advertising campaign were for the purpose of raising capital. Late-stage private companies should consider carefully reviewing any advertising and related marketing efforts taking place within a reasonable period of time in advance of any anticipated capital raise with a view to limiting unnecessary hyperbole and any reference to the value of the company or its securities. Further, private companies also should consider including appropriate cautionary language and disclaimers on their advertising.
Employers Must Now Use New I-9 Employment Eligibility Verification Form
Beginning January 22, employers must only use the new I-9 Form dated November 14, 2016, which replaces the form dated March 8, 2013. The new I-9 Form is located on the U.S. Citizenship and Immigration Service website and has a new expiration date of August 31, 2019. Failure to use the new form may result in the assessment of penalties. The I-9 form has been required for all new hires after November 6, 1986.
The new form, which has “smart” error-checking features, is simpler to use. Its enhancements streamline certification for certain foreign nationals. The most prominent changes are:
- The form can now be completed more easily on the computer with drop-down lists and calendars for filling in dates.
- Each field has onscreen instructions.
- The full instructions, which are no longer a page of the form but separate from it, are easily accessible. However, employers must still present the instructions to the employees completing the form.
- There is a form option to clear and start over.
- Prompts have been added to ensure information is entered correctly.
- The preparer can enter multiple preparers and translators.
- A dedicated area exists for additional information (no more margin annotations needed).
- There is a supplemental page for the preparer/translator.
- The requirement that immigrants authorized to work provide both their Form I-94 number and foreign passport information in Section 1 is removed.
- A mechanism was added that prompts individuals about missing information and/or incomplete fields, highlighted in red, before moving from one section to another within the form.
- A “Print” option enables individuals to print the Form I-9 once data is entered.
- A quick-response matrix barcode, or QR code, that generates once the form is printed can be used to streamline enforcement audits.
This revised form with the above enhancements was designed to help human resource professionals and employers reduce the technical errors that have plagued this process for the past 30 years. It is important for employers to note that the new smart I-9 is not an electronic I-9 and that the form completed using Adobe Reader must still be printed, signed, and dated by the employee, and stored in a safe place. In addition, reverifications and updates must still be calendared. Where an employer uses E-Verify, the employer must retype I-9 information into E-Verify as was done with the old I-9 form.
Further, the U.S. Citizenship and Immigration Services (USCIS) amended the I-9 completion instructions, which now provide more detail and guidance in an effort to reduce errors during the I-9 completion process. Reducing errors is more important than ever as the USCIS has implemented higher civil fines against employers who commit immigration-related offenses, including I-9 paperwork violations like I-9 Form errors or omissions. The civil penalties rose from $110 to $1,110 per relevant I-9, to $216 to $2,156, representing an increase of nearly 100 percent.
Given that the Trump administration has emphasized immigration enforcement, employers would be prudent to review their I-9 compliance policy and perhaps conduct an internal audit of their I-9 records to ensure compliance with immigration rules, and that they are prepared for an audit in this new era of immigration enforcement.
If you have questions about the new I-9 Form or any general I-9 compliance issue, please contact Maria Mejia-Opaciuch, Carlton Fields senior counsel: mmejia-opaciuch@carltonfields.com or (305) 539-7319.
A Founder Creates the Fitness App She Needed
After graduating from college in 2013, fitness fanatic Tiffany Hakimianpour found her work schedule made it increasingly difficult to get to the gym. When she nonetheless managed to fit in workouts with a trainer, she learned the personal training industry operated in the Dark Ages. That experience gave her the idea for Handstand, an app that connects personal trainers with clients for workouts — including boxing, yoga, and toning — at the time and place of their choice. The company, which launched in 2015 and has secured $1 million in funding, operates in Los Angeles, Boston, and New York. Ms. Hakimianpour is looking forward to expanding into 10 U.S. markets in the first quarter or 2017, and internationally thanks to a marketing partnership with Reebok that was announced this fall.
Handstand is based in the Santa Monica, California offices of tech incubator Science Inc. Other Science portfolio companies include Dollar Shave Club and DogVacay. Recently, I spoke with Ms. Hakimianpour about her experiences as a founder. She shared thoughts on learning to draw boundaries, hiring challenges, and being mistaken for a customer service representative.
Q: What made the personal training industry ripe for disruption?
Ms. Hakimianpour: When I decided to work with a trainer, it involved sitting down with the personal training manager for an hour, committing and planning out three months of training, paying for a gym membership–and the training, and being unable to even choose or meet my trainer beforehand. The process was incredibly rigid and expensive. On top of that, I learned the trainer was making about $20 for the sessions that cost me around $150 an hour. That upset me because the trainer was the one responsible for my results.
Q: How did you figure out how to address these problems?
Ms. Hakimianpour: At the time, I was working in sales for a tech startup, which was a marketplace for creatives. The idea clicked when I was selling on the phone and I realized I could create the same thing – a marketplace – but for trainers.
Q: What first steps did you take to implement that idea?
Ms. Hakimianpour: There’s so much information on the web–I just Googled. I worked on my business plan, pitch deck, and financial plan for a week after work and then I quit the startup. I got a website up and starting testing it. You can do that overnight, using services like Squarespace. Once I had all that, plus some data that showed how many trainers and users were signing up, I pitched the idea to a few investors, and then to Mike Jones at Science.
Q: Why did you decide to apply to Science?
Ms. Hakimianpour: Something like 90 percent of startups fail, so it makes sense to attach yourself to people who’ve done it before, narrowing your chances of failure. Smart leaders can also open doors for you – things money can’t buy. I think almost every first-time entrepreneur could benefit from advice and help from people who have done it before, failed, and won.
Q: What have been your biggest challenges as a founder?
Ms. Hakimianpour: Handstand was just me and two rock star engineers for the first year and half. As a founder you’re wearing 10 hats! I was doing customer service, pitching investors, finding trainers, and trying to apply the knowledge I gathered to the technology side of the business.
Q: What do you look for in an employee?
Ms. Hakimianpour: I look for smart people who are quick on their feet and don’t need hand-holding. The ability to communicate properly is also critical.
Q: How can you tell whether a job applicant has all those qualities and skills?
Ms. Hakimianpour: It takes time and some mistakes. I just had five or six interviews for a position, and I don’t think any candidate was the right fit so I didn’t hire any of them.
Q: Tell me about your partnership with Reebok?
Ms. Hakimianpour: Reebok, along with some angel investors and Science, invested $1 million in Handstand’s seed round.
Q: How did you connect with Reebok?
Ms. Hakimianpour: Through an introduction by Peter Pham at Science.
Q: What’s next for Handstand?
Ms. Hakimianpour: I want to Handstand become the go-to platform for personal fitness of any kind – in the gym or outside of it. We’re working on expanding this vision our markets.
Q: Do you any advice for would-be entrepreneurs?
Ms. Hakimianpour: Focus and surround yourself with people smarter than you. Starting a company is not a part-time job, nor is it a breeze. But it’s well worth it.
What will U.S. Business Immigration Look Like Under A Trump Administration?
More than 10 days have passed since the election results were revealed, and the United States now has a businessman as its president-elect ready to take office on January 20, 2017. However, despite his business background, it appears that the Trump administration will be equally hard on legal business immigration as on illegal immigration. President-elect Trump’s campaign speeches and his position paper on immigration shed light on how his vision regarding immigration will impact employers with a foreign national workforce. Below are some of the pertinent temporary work visas, inspections procedures and immigration control practices that may be impacted when the Trump administration is in place, as well as a brief discussion about the longer delays expected for foreign workers traveling to the United States for short-term business reasons or to work and study.
F-1 Students and Optional Practical Training (OPT)
President-elect Trump has called for more stringent vetting of foreign nationals seeking to enter on either temporary work or student visas, or those seeking green cards. In addition, he wants to suspend the issuance of visas from countries where there is no screening process until proven and effective vetting mechanisms are implemented, particularly from regions that export terrorism. Given this possible delay or suspension, it is key for foreigners seeking to work or study in the United States to apply for the F-1 student visa before the new administration is in place. Further, there is a strong possibility that the generous regulations extending OPT to students in the STEM (science, technology, engineering and mathematics) disciplines be repealed or scaled back considerably. This is due to the Trump administration’s call for new immigration controls that would boost wages and ensure open jobs are offered to Americans first. The STEM OPT program requires employers to participate in E-Verify, an internet-based system that compares information from an employee’s Form I-9 (Employment Eligibility Verification) to data from the U.S. Department of Homeland Security and Social Security Administration to confirm employment eligibility. President-elect Trump and his key immigration team advisors are proponents of E-Verify and support the program’s expansion to all employers. As such, STEM OPT may remain in effect for some time.
TN, E-3, and H-1B1 Visas – Free Trade Agreement Visas
President-elect Trump has indicated he would seek to renegotiate or withdraw from the North American Free Trade Agreement (NAFTA) and similar trade agreements, many of which include streamlined immigration provisions allowing professionals to work in the United States under visa classifications defined in the agreements. Employers should review their foreign workforce and gather requisite data to possibly convert TNs (Canadian or Mexican), E-3s (Australian) and H-1B1s (Singaporean or Chilean) to either an H-1B visa or commence the permanent residence (green card) process. It is unlikely that the renegotiation of, or withdrawal from, any of the trade agreements will occur immediately after President-elect Trump assumes office. Employers will have time to review their workforce, consult with their immigration lawyers, and take necessary action to maintain their foreign workforce with little to no impact on the business.
H-1B Specialty Occupation Visas
President-elect Trump supports immigrants who are skilled, have merit and will succeed in the United States, and would favor reform of the H-1B program to eliminate “cheap labor.” He may seek, through legislation, a more active recruitment process built into the existing H-1B regulations. He may pursue changing rules on H-1B-dependent employers (those employing 15 percent or more H-1B visa workers) and impose more stringent regulations on wages and salaries paid to H-1B employees, possibly increasing them to as much as $100,000. As part of his vision to protect the American worker, President-elect Trump may also conduct more audits of H-1B employers. Increases in enforcement and H-1B salaries may encourage employers to ship offshore the IT and engineering work currently performed under H-1Bs, which would be counter-productive. H-1B visa reform will, in all likelihood, make certain IT projects too expensive to remain in the United States. If there are no U.S. workers available to handle the projects, the work may be outsourced overseas, or the industry may be forced to automate, as the auto industry did. This is an excellent time for employers to review their H-1B and public access files and ensure all is in order, as more audits of H-1B employers are anticipated.
Deferred Action on Childhood Arrival (DACA)
While the 725,000 or so DACA registrants in the United States may not be affected immediately when President-elect Trump takes office, it seems certain that the executive order implementing DACA will be terminated, and those with employment authorization document (EAD) cards will not have an opportunity to renew their work permits, which would impact employers. It is a good time for employers to review their foreign workforce and I-9 records to review who has time-limited EAD cards, and be prepared for the possibility that some EAD cards will not be renewed if DACA is terminated. Revocation of this program will likely take some time, but preparation is key to minimizing the disruption of the employer’s workflow.
Travel to the United States: A Fully Operational Biometric Entry-Exit Visa Tracking System
The Trump administration will implement a biometric entry and exit system at all land, air and sea ports. This system is No. eight on the president-elect’s 10-Point Plan to Put America First. Statistics show that approximately half of the new illegal immigrants enter the United States on a valid visa and then overstay. President-elect Trump plans to combat that practice by strictly enforcing visa expiration dates. It remains to be seen how this priority will be implemented (by legislation or regulation), but strict oversight on visa expirations are anticipated, given the advisors President-elect Trump has enlisted to develop his administration’s immigration policy.
Increased Worksite Enforcement, Mandatory E-Verify and Visa Compliance
President-elect Trump has clearly stated that his top priority is to build a wall on the southern border and keep illegal immigration to a minimum by immediately removing those who enter illegally or detaining them until removed. He wants to end the existing “catch and release” program in existence today. Such enforcement-centric policies may result in tangential worksite initiatives by the U.S. Immigration and Customs (ICE) resulting in increased onsite inspections of I-9 forms. President-elect Trump’s promise to deport millions suggests that employers should be proactive and review existing I-9 and E-Verify compliance programs, or implement I-9 and visa-related compliance initiatives, to ensure they are ready for any possible ICE investigations or audits. Further, it is likely that mandatory E-Verify participation by all employers will be proposed. Employers should consider conducting voluntary internal audits now to limit or eliminate potential fines in the event of an ICE investigation or audit.
It is important to note that the president-elect cannot change the existing immigration laws found in the Immigration and Nationality Act (INA) unless Congress amends the INA, and President-elect Trump signs it. This will take a considerable amount of time and cooperation between Congress and the president. He can, however, change policies or executive orders, such as the DACA program, without the involvement of Congress.
Many of these changes are speculative and yet, it is clear that changes in the above visa classes will take effect in 2017. Carlton Fields’ immigration practice group will monitor these upcoming changes. Please contact Maria Mejia-Opaciuch at mmejia-opaciuch@carltonfields.com or 305.539.7319 with any questions on the anticipated changes or other immigration-related inquiries.
There’s No Flying Under the Radar: Why Small Businesses Should Get Smart About Information Security
The latest publication by the National Institute of Standards and Technology (NIST), entitled “Small Business Information Security: The Fundamentals,” aims to promote and assist small businesses in their efforts to manage information security risks. Written by Celia Paulsen and Patricia Toth, the report speaks directly to the needs of growing businesses and suggests that the security of information, systems, and networks should be a top priority. Overall, the report explains some of the security issues unique to small businesses and offers a guideline for safeguarding information to help those businesses thrive. Below are several key takeaways from the report.
Small Businesses are Particularly Vulnerable
In many ways, small businesses have even more to lose than large ones simply because an event—whether a hacking, natural disaster, or business resource loss—can be incredibly costly. The report begins by noting that while cybersecurity improvements by some businesses have rendered them more difficult attack targets, this has led hackers and cyber criminals to focus more of their attention on less secure businesses. One reason for this is that small businesses, including startups, often lack the resources to invest in information security as larger businesses can. Many fall victim to cyber-crime. In a later comment on the report, author Pat Toth stated, “[s]mall businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.” She continued, “[small businesses] may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival.”[i] National Cyber Security Alliance research adds further credibility to this assertion. It found that 60 percent of small businesses will close down within six months following a cybrattack.[ii]
Information Security is Good for Business
Another of the report’s goals is to refute the notion that information security is too cumbersome a task for a young business to undertake. In fact, investing in proper security is potentially excellent for business. Protecting customers’ information as well as personal employee information is a critical component of good customer service. Furthermore, a robust information security program can help small businesses grow and retain customers as well as employees and business partners. Nowadays, customers not only appreciate but have also come to expect that their sensitive information will be protected from theft, disclosure, or misuse. Therefore, it is necessary that your business protect customers’ information to establish their trust as well as increase your business. Additionally, business partners and vendors want to know that their information, systems, and networks are safe when doing business with you; therefore, it is important to be able to demonstrate that you have a method to protect their information.
Get to Know Your Unique Risks
First, identify the information your business stores and uses. This may involve listing all the types of information your business stores or uses, including customer names and email addresses, receipts for raw material, banking information, and other proprietary information. Next, determine the value of your information – if not by dollar amount, by rank in comparison to other risks. Then, develop an inventory of technology, both hardware and software. Last, understand your threats and vulnerabilities in the areas of confidentiality (e.g. theft or accidental disclosure), integrity (e.g. accidental alteration, intentional alteration), and availability (e.g. accidental destruction, intentional destruction).
Safeguard Your Information
The report recommends a five-step process.
- Identify. Start by controlling who can access your business information. Consider physically locking laptops and mobile devices when not in use, conducting background checks, requiring individual user accounts for employees, and creating policies and procedures for information security.
- Protect. This can include limiting employee access to data and information, installing uninterruptible power supplies (UPS) and surge protectors in case of an electricity interruption, updating and patching your software, installing firewalls, securing wireless access points and networks, setting up web and email filters, encrypting sensitive business information, properly and quickly disposing of old devices, and training employees regarding security policies and procedures.
- Detect. In a security emergency, time is of the essence. Swift discovery of breaches is essential. To assist, consider installing updates to anti-virus and allowing for automatic updates as well as maintaining logs of firewall and anti-virus activity.
- Respond. In a security event, the impact and ultimate cost of a breach may be contained or even reduced by implementing a disaster plan. Employees should be trained according to a developed plan that set out employee roles and responsibilities, protocol for shutting down or locking computers, whom to contact, and triggering events for when the plan should go into effect.
- Recover. In the wake of a security event, the goal of your business will likely be to resume normal operations as soon as possible. As such, consider making full backups of important information, such as on an external hard drive or cloud, and doing so often. Additionally, it may be worthwhile to invest in cyber insurance as well as ongoing technology improvements.
Everyday Tips for Working Safely and Securely
The report emphasizes the importance of employee training, and states that although cyber-criminals are becoming more sophisticated, many still use well-known and easily avoidable methods in their attacks. Therefore, employee awareness and training in the following areas may provide significant protection.
- Pay attention to the people you work with, the people you contract with, even the people who share your building. If a security event affects your neighbors, it is likely you are at risk as well.
- Be extremely careful opening email attachments and web links. Do not click on a link or open an attachment that you were not expecting to receive. Perhaps the most common way malware is distributed is via email attachments or links embedded in email.
- As much as you can, try to use separate personal and business computers, devices and accounts, because personal devices are often less secure and could expose you to increased risk. In addition, do not connect personal or untrusted storage devices to your business computer.
- Only download software from reputable sources.
- Be aware of social engineering, which is an attempt by wrongdoers to obtain physical or electronic access to your business information by prying information from you via manipulation.
- Never give out a username or password. Speaking of passwords, try incorporating random sequences of letters and special characters into them. Try also to use multiple forms of authentication (e.g. dual-factor authentication by text).
- Use a secure browser connection whenever possible.
Do Not Throw In the Towel
While it is impossible for any business to be completely secure, the report assures that it is both “possible—and reasonable—to implement a program that balances security with the needs and capabilities of your business.” You need not be a cybersecurity expert to develop an effective plan. In fact, you may find it best to outsource some or all of your security needs. Consider it an opportunity to network by asking around for recommendations. Additionally, in some cases, large organizations may help their small business suppliers analyze their risks and develop an information security program. For a deeper dive into the details of implementing an information security protocol that will work for your growing business’s unique needs, read the full report here.
The author would like to acknowledge the contributions of Gail Jankowski in the preparation of the alert.
[i] https://www.nist.gov/news-events/news/2016/11/new-nist-guide-helps-small-businesses-improve-cybersecurity#
[ii] https://staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic
Ivanka Trump Intern Controversy Offers Key Reminders for Businesses
A recent blog post by one of Ivanka Trump’s interns suggests the Presidential candidate’s daughter uses unpaid interns to help run her website, IvankaTrump.com.
The intern offered tips on staying financially afloat while living in New York and being paid in experiences, rather than wages. Ivanka Trump tweeted the blog post and criticism ensued.
Actual educational experiences can amount to a proper unpaid internship; but, the longstanding practice of using interns as free labor can be risky. For that reason, it is an increasingly unpopular practice. Only businesses with altruistic motives should seek out unpaid interns. That’s because most courts look to who receives the primary benefit of the working relationship, the business or the intern, when determining whether an intern should be paid. If you use interns as an “extra set of hands,” you may be violating the Fair Labor Standards Act (FLSA), the federal wage and hour law governing employment relationships.
An insufficiently structured internship program creates risks to your business, including reputational damage; investigations by the Department of Labor (DOL), which implements the FLSA regulations; and private lawsuits under the FLSA, some of which may be costly collective (class) actions.
The DOL has developed a six-factor test to analyze whether an employment relationship exists between a business and intern. Many courts find these factors too rigid and reject them, but they are helpful to illustrate the types of issues argued, and considered, by the DOL and private attorneys in internship litigation. The trend is for courts to analyze who received the primary benefit of the work, and no one factor is dispositive.
The best practices below draw on a combination of the more stringent DOL six-factor test factors, and consider internship programs that courts have found primarily benefit the interns and do not create an employer-employee relationship covered by the FLSA. When establishing and running your internship program, aim for a generous combination of the following best practices.
Best Practices for Your Internship Program
College credit. Work with schools to get interns college credit. This is listed first because it is strikingly persuasive evidence that the primary benefit of the relationship inures to the intern.
Make the internship educational. If the intern attends school, to the extent the school has internship requirements, be sure to tailor the program to meet them. You can also do this by: obtaining course materials and syllabi from a school so you know the interns educational training needs; speaking to school instructors about student tasks to ensure the school believes the assigned tasks have educational value; check in with the school and give updates on interns’ progress; provide student evaluations to the school; invite the school to visit your business to observe the students.
Take what you get. Avoid conducting interviews, which are an indicia of employment, to choose your interns. To the extent a school can send interns, without having your business interview them, this “take what you get” approach is helpful. Also, if interns can pick the hours and days they work, this also militates against a showing of employment, as most employers pick the dates and hours of work. Still, the internship should have fixed start and stop dates and not continue indefinitely. The longer the relationship lasts, the more likely it will be argued to be an employment relationship.
Hands-on training. Provide training that your interns will be able to use within your industry, not just training specific to your business. Focus on teaching and observing the interns. An employee should remain responsible for the tasks assigned to them, and should double-check their work.
Field Trips: Plan activities that offer no benefit to the business whatsoever. Take the interns on an educational field trip. Bring in a guest speaker. Think about what kind of educational activities would benefit interns in your industry. Consider the types of experiences you can offer that interns could not get in a classroom. Build on their classroom experiences.
Don’t displace any employees. Do not depend on an intern’s work to run the business. Be careful not to delegate significant duties to the interns while you or other employees devote time to other matters. You do not want it to appear that the interns have displaced any paid employees.
Provide supervision and feedback. The more supervision and feedback your company provides to interns from knowledgeable and experienced employees, the better. Monitor the interns. Let them shadow your employees. Although it may seem counterintuitive, your interns should actually slow down employee work. Answer interns’ questions, guide them, and give them written evaluations (ideally, daily). These evaluations need not be terribly time-consuming. You might create and use a standardized form. The students could evaluate their own work, detailing what they learned during the project.
No post-internship employment. Be sure the interns understand they are not guaranteed jobs after the internships. Consider including this reminder in a written form for them to sign at the start of the internship. Don’t make interns commit to employment should you make an offer at the end of the internship. And, don’t use the internship as a trial or probationary period.
No payment. Include in the form for the interns to sign their acknowledgment that the internship is unpaid and that they understand they are not entitled to minimum wage as non-employees. Don’t offer them benefits, that only aids in an employment relationship argument. Tout the educational worthiness of the non-employment program in any marketing pieces for the program.
These are aspirational goals, a combination of which will help you structure your internship program to maximize the chances of a favorable outcome should your business be charged with failing to pay an intern minimum wage and overtime.