Launch to Thrive

Free Business & Legal Resources for Entrepreneurs and Startups

You are here: Home / Archives for All Resources

Startup Resources

Expand your knowledge with articles, interviews, and updates that offer perspectives on entrepreneurship and the issues that impact your business.

Crowdfunding Cybersecurity Entrepreneurship HR & Employment Immigration Innovation Insurance Intellectual Property International Media & Entertainment Securities

2 Key Insurance Considerations For Startups

All Resources// Insurance

Startups have varying insurance needs, requirements, and questions. Questions include: Is the startup well-financed with directors and officers that have an immediate need for directors and officers (D&O) liability insurance? Or does the startup need errors and omissions (E&O) insurance coverage (or other professional liability insurance)? And if the startup already has employees, will it offer employee benefits, such as health insurance and life and disability insurance? Does the state (or states) in which the startup operates require employers to pay for disability insurance? How does the Affordable Care Act (ACA) impact the startup?

Startups can benefit from legal counsel in navigating the issues associated with the ACA, and other employee benefit and insurance needs. Two additional types of insurance needs may not be readily apparent to a startup, but can provide significant benefits for different reasons: commercial general liability insurance and “key person” life insurance.

General Liability Insurance

General liability insurance provides a wide range of coverage that can be crucial for a young business. Many of these policies protect companies against liability for bodily injury, property damage (including property the company rents), and personal or advertising injury. Many insurers also offer to cover the costs of investigating and defending companies against legal claims. This is particularly important, because the legal fees necessary to fight a lawsuit can deplete a new company’s funds even if the legal claim is meritless.

While a corporate structure should be set up to shield a startup’s owner(s) from liability, a general liability policy can act as a second shield for the company’s founders…

Some general liability policies may also cover individuals acting on the startup’s behalf. This is also important, because startups’ owners often do some, if not significant, work on behalf of the startup in their individual capacity, often before a corporate entity is established. Once a general liability policy is in place, these individuals are protected when they act on behalf of the startup, even if a corporation, limited liability company or similar entity is not yet formed. While a corporate structure should be set up to shield a startup’s owner(s) from liability, a general liability policy can act as a second shield for the company’s founders. In addition, when a startup is new, errors may be more likely because systems and safeguards are not yet known or established to protect the startup. Lawsuits and liability claims also have greater potential to impact a new startup that is stretched thin on capital. A general liability policy can protect startups in this vulnerable situation.

…a careful review of the policy’s exclusions is just as important.

But while there are many potential benefits of a general liability policy for a startup, the policy should be examined carefully, particularly its exclusions from coverage. Most individuals naturally focus on the amount of liability coverage and deductibles associated with a general liability policy before purchasing it, but a careful review of the policy’s exclusions is just as important. Some general liability policies might exclude a startup’s entire type of work, service provided, or product produced and thereby significantly undercut the policy’s value to the startup. In this situation, it is sometimes feasible to purchase separate coverage to insure the excluded area. To select appropriate coverage, startups should consult an experienced insurance broker with knowledge of their industry.

“Key Person” Life Insurance

Startups also might not immediately recognize the benefit of key person insurance. But such coverage may serve a crucial purpose. Many startups, by virtue of their newness, are completely dependent on the vision, knowledge, and expertise of one or two individuals. Other startups might be dependent on one person, because it is only identified with one person’s likeness for advertising purposes. While this may not present a problem when the startup solely consists of one or two ambitious founders, risk increases as the startup grows and begins to employ numerous individuals or is backed by investors infusing capital to expand it. Particularly as this risk increases, key person insurance should be considered.

…it is important for startups to honestly evaluate whether the death of a key employee or founder would significantly harm the startup’ s financial health.

This type of insurance protects against the death of a key person in the company where it would lead to a sharp decline in earnings or even the company’s demise. Accordingly, it is important for startups to honestly evaluate whether the death of a key employee or founder would significantly harm the startup’ s financial health. In addition, investors or creditors may want the assurance of a key person insurance policy before investing or loaning money to startups. If it is determined that key person insurance is needed, an amount of coverage must be chosen. This analysis will, of course, vary from startup to startup, but the startup should analyze its current net worth or the present value of its likely future profits. This will help inform the amount of coverage to purchase. And, again, consulting an experienced insurance broker will help a startup determine the appropriate amount of coverage. If key person insurance is obtained, the startup should continue to evaluate whether coverage is necessary as the company grows and becomes less reliant on one or two individuals.

Startups have numerous and different insurance needs and will face many challenges as new businesses, but by considering whether general liability and key person insurance are appropriate products they will likely be better positioned for sustainable growth.

Originally published by JD Supra Perspectives.

Unpaid Internships: Tips for Avoiding Legal Liability

All Resources// HR & Employment

Unpaid internships present companies with potential legal exposure, as shown by several recent, well-publicized legal victories for interns, including one against NBC, which ultimately paid out millions of dollars. To help avoid liability, companies must comply with the Fair Labor Standards Act (FLSA), which permits unpaid internships under certain limited circumstances. While the FLSA applies to both for-profit and non-profit entities, it only becomes relevant if an employment relationship (between an employer and an employee) exists.

To determine whether an employment relationship exists for FLSA purposes, courts look at the ‘economic realities’ of the individual case (i.e., worker’s economic dependence on the alleged employer). The U.S. Supreme Court has not addressed whether student interns are ‘employees’ for purposes of the FLSA. However, the Supreme Court has considered a related question—in the context of trainees in a company’s own training program—and determined that the FLSA does not define the employment relationship so broadly as to render all who provide any kind of service employees. See Walling v. Portland Terminal Co., 330 U.S. 148, 152 (1947). Since then, courts have applied thePortland Terminal holding in the student intern context.

Portland Terminal

In Portland Terminal, a railroad gave prospective brakemen a seven- or eight-day preliminary training course. There were no classrooms. Under a yard crew’s supervision, the trainees first observed the work and then performed it. Those who successfully completed the course formed a pool of workers available to the railroad as openings occurred. The trainees were not paid for the training period.

The Supreme Court found that, because the trainees were not employees under the FLSA, they were not entitled to compensation for their training. Although the trainees performed “work in the kind of activities covered by the [FLSA],” they still had to prove they were “employees.” In that regard, the court looked at the relative benefits of the training program to the trainees and the railroad. Id. at 150.

The court found that the trainees’ “work does not expedite the company business, but may, and sometimes does, actually impede it.” Id. at 150. Clearly, there is no employment relationship if the business “receive[s] no ‘immediate advantage’ from any work done by the trainees,” or if the trainees are “work[ing] for their own advantage.” Id. at 152-53. That is because the FLSA “was not intended to penalize [businesses] for providing, free of charge, the same kind of instruction [as a school] at a place and in a manner which would most greatly benefit the trainees.” Id. at 153. Otherwise, “all students would be employees of the school or college they attended,” and everyone who performed work for others (but for their own personal purposes) would be entitled to wages. Id. at 152. So, although the trainees performed hands-on work during the training period, and the railroad created a pool of trained brakemen from which it could hire as openings arose, the Supreme Court held the trainees were not “employees.”

Applying Portland Terminal, courts have found that no employment relationship exists for students where: the work is an extension of studies and the intern received course credit and a grade for the work; the intern’s performance of actual work at the facility is the central purpose of the internship; no compensation was contemplated or paid; the facility received very little benefit from the intern’s work in that the intern did not displace a paid worker and did not lighten the workload for other workers; and the business had to supervise the intern’s work, provide feedback and training as needed; and answer the intern’s questions. Some courts, including appellate courts in the Sixth Circuit (Kentucky, Michigan, Ohio, and Tennessee) and Second Circuit (Connecticut, New York, and Vermont), have said this analysis, and Portland Terminal, create a “primary benefit” test: Whether the primary benefit of the internship was to the student or the business. See e.g., Solis v. Laurelbrook Sanitarium & School, Inc., 642 F.3d 525, 526, 528-29 (6th Cir. 2011); Glatt v. Fox Searchlight Pictures, Inc., 791 F.3d 376, 383 (2d Cir. 2015).

The DOL’s Position on Unpaid Student Internships

The DOL, the agency tasked with implementing regulations for the FLSA, has stated in the context of student interns, that no employment relationship should be found where the student receives credit toward graduation for the internship and the internship provides real life experiences unobtainable in the classroom setting. To analyze the student intern relationship, it also developed a six-factor test, which is intended to evaluate the relationship’s economic realities consistent with Portland Terminal.

Some courts use the DOL factors as a guide in evaluating whether an employment relationship has been formed. Others do not use them at all, finding them overly rigid and inconsistent with Portland Terminal.

The factors are:

  1. the training, even though it includes actual operation of the facilities of the employer, is similar to that which would be given in a vocational school;
  2. the training is for the benefit of the trainees or students;
  3. the trainees or students do not displace regular employees, but work under their close observation;
  4. the employer that provides the training derives no immediate advantage from the activities of the trainees or students; and on occasion its operations may actually be impeded;
  5. the trainees or students are not necessarily entitled to a job at the conclusion of the training period; and
  6. the employer and the trainees or students understand that the trainees are not entitled to wages for the time spent in training.

Student Intern Programs: Best Practices

While there is no sure way to prove that an employment relationship does not exist, the court will weigh the following factors in the event of a lawsuit:

  • College credit. If student interns receive college credit, that will be enormously helpful to a company’s position that no employment relationship exists. In fact, the DOL has stated that if the intern receives college credit, the primary benefit inures to the student thereby satisfying factor No. 2 of its test.
  • Educational experience. Ensuring that the internship is an educational experience will also help a company’s case. For example, obtain course materials and a syllabus from the student’s school; speak to school instructors about the intern’s assigned tasks to ensure that the school believes the tasks have educational value; and maintain contact with the school, providing updates on the interns’ work and evaluations of their projects. Consider inviting school representatives to visit your premises to observe the students at work and get the representatives’ feedback on the interns’ assignments. Also, to the extent the school has internship requirements, be sure the program meets them. If the dates of work correspond to the academic calendar, that is helpful. The internship should not last so long that the work becomes overly repetitive and lacking in further educational advancement.
  • Indicia of employment. To the extent the school can select your company’s interns, this “take what you get” approach is beneficial because your interviews of students would be classic indicia of employment. Also, allowing students to choose their own work hours and days militates against a finding of employment because most employers establish an employee’s dates and hours of work.
  • Hands-on Training. Keep the focus on skills that are transferable within the applicable industry, not just on those solely related to your company’s operation. The key is to emphasize teaching and observing the students. Make an employee responsible for the students’ tasks and require the employee to double-check their work. Field trips and guest speakers may be appropriate.
  • Displacement. Be careful not to delegate duties to students that would allow your employees to devote time to other matters. It must not appear that students have displaced any employee.
  • Supervision and Feedback. The more supervision and feedback your company can provide, the better. Monitor the students, answer their questions, provide guidance, and give them frequent written evaluations. These evaluations need not be time-consuming. Work with your lawyer to create a standardized form. Students could evaluate their own work, detailing what they learned during the project and internship.
  • No post-internship employment. Explain to the students that they are not guaranteed a job after the internship. Your lawyer can help you draft a form that students sign upon starting the internship.
  • No payment. The form should include the student’s signed acknowledgment that the internship is unpaid.

To the extent a company can show that its internship program is consistent with these factors, it will have a strong—albeit not risk-free—defense to any FLSA claim.

Immigration Law for Startups: Best Practices, Prime Options, and Common Pitfalls

All Resources// Immigration// International

This article provides guidance to new or foreign companies that are entering the U.S. market and seeking to employ either foreign nationals already in the United States on non-working visas, or foreign nationals overseas who wish to enter the United States with a work visa. The discussion is meant to raise important issues, provide best practices, and explain how startups can avoid common pitfalls and meet key deadlines critical to hiring foreign nationals—and maintaining them in legal status. It also includes a brief discussion that aims to help startups remain compliant with the labyrinth of complex immigration rules.

Best Practices

…startups should have strong business plans with five- year staffing and revenue growth projections.

Startups must have evidence of their corporate existence and financial viability in order to seek temporary work visas, which allow foreign nationals to work and live in the United States. Once that evidence is readily available, startups should have strong business plans with five- year staffing and revenue growth projections. These business plans are required for the nonimmigrant visa petitions that must be filed with the appropriate U.S. immigration authorities, whether in the United States or at U.S. consulates overseas.

Startups seeking to hire foreign nationals should begin the interview process early to determine which of the various nonimmigrant (temporary) work visas would be best to seek from the U.S. immigration authorities. Nonimmigrant visas allow the foreign national to live and work in the United States for a fixed length of time. Although they do not lead to permanent residence (a “green card”), some nonimmigrant visas can be renewed indefinitely. It’s best to start the interview process four months before the foreign national’s anticipated start date at the company to provide a cushion. The U.S. immigration authorities will want to see a detailed job description of the position sought to be filled, its education and experience requirements, and the foreign national’s qualifications. Collecting education and experience documentation from the foreign national is a time-intensive process. For some types of work visas, it requires translations and educational evaluations of the documents. Work visa application processing times at the U.S. immigration offices vary from as short as 15 business days, if a premium processing fee is paid, to as long as five months with regular processing. Planning ahead and reviewing the start date is critical.

…authorities will want to see a detailed job description of the position sought to be filled, its education and experience requirements, and the foreign national’s qualifications.

Startups should understand that the U.S. immigration authorities are wary of new corporate entities. They should document as much as possible regarding the corporate existence, including operating licenses, corporate bank accounts, and signed and dated corporate leases.

Foreign-owned companies starting up in the United States are advised to have the business plans described above, showing corporate existence and financial viability, plus evidence of ownership of the foreign-owned and U.S. startup to meet certain visa requirements to transfer foreign personnel to the United States.

Startups should determine the length of time a foreign national will be needed and whether the employment will be short- or long-term as this may determine the type of nonimmigrant temporary work visa sought. Some short-term visas can be converted to long-term, indefinite visas. These are immigrant visas, commonly known as “green cards,” and permit the individual to remain in the United States as a permanent resident. Early planning and review of the position is critical for the startup seeking a foreign national to work in the United States.

Startups can take advantage of certain nonimmigrant visa options … in some cases without having to first apply through the U.S. immigration authorities…

Prime Options

Startups can take advantage of certain nonimmigrant visa options that can help them to hire foreign nationals expediently, cost-effectively and, in some cases, without having to first apply through the immigration authorities in the United States. The following temporary work visas require no application through the U.S. immigration authorities in the United States and can be presented either at the U.S. consulate overseas, or at the U.S./Canadian or U.S./Mexican border:

  1. TN Visa for professionals coming to the United States pursuant to the NAFTA agreement. They can present their TN application at the U.S./Canadian border and be admitted for up to three years. Mexicans can present their TN application at the U.S. consulate in Mexico and will obtain a one-, two- or three-year TN visa stamp to enter the United States;
  2. E-3 visa for Australian nationals coming to work as professionals. They can apply for the E-3 stamp at a U.S. consulate and enter to work in the United States;
  3. H-1B1s for Singaporean or Chilean nationals coming to work as professionals pursuant to free trade agreements between the United States and Chile, and the United States and Singapore. They can apply for the H-1B1 visa at the U.S. consulate overseas and enter to work in the United States;
  4. Canadian nationals can enter the United States as L-1 intracompany transferees by processing at the U.S./Canadian border, or at an international airport by processing directly at these ports of entry without a formal work visa petition approval issued by the U.S. immigration authorities; and
  5. E-1 or E-2 treaty trader or investor visas can be processed directly by U.S. consulate officials overseas for certain nationalities without a formal work visa petition approval. Such work visa classifications are governed by rules. When used, they can save startups money, time, and effort.

Common Pitfalls for Startups

Startups often unknowingly hire foreign nationals in the United States to work for them under the B-1 business visa. This visa is not a temporary work visa and does not allow foreign nationals to work in the United States. Further, certain nationalities are allowed to enter the United States without a formal B-1 visa stamp. This visa waiver program is reserved solely for short-term business trips. It is not to be used to circumvent U.S. immigration work visas.

All employers in all states must complete and maintain a Form I-9 employment verification form for each employee hired after November 6, 1986…

Startups also often hire foreign nationals without completing the mandatory I-9 employment verification form. All employers in all states must complete and maintain a Form I-9 employment verification form for each employee hired after November 6, 1986, the date the Immigration Reform and Control Act of 1986 was enacted. This applies regardless of the startup’s size. Employers must complete the Form I-9 in a timely manner, usually within three days of hire; have the employee complete and sign the appropriate Form I-9 section (section 1); review the acceptable documents presented by the employee; and complete section 2 of the Form I-9. Employers cannot, in the process of completing the Form I-9 discriminate or retaliate by actions, remarks, threats, over-documenting or requesting specific documents. Employees must be given the list of acceptable documents, found on page nine of the form. As companies grow, it is critical to establish and maintain a formal I-9 policy and conduct regular internal I-9 audits to be compliant and avoid heavy monetary fines resulting from U.S. government audits.

Startups often fail to record the work visa expiration dates, fail to timely commence an extension process, or fail to convert to an immigrant visa far enough in advance. Failure to do timely extensions or processing of an immigrant visa (the “green card”) can lead to gaps of employment between the expiration date of the temporary w. ork visa and the approval of the extension or an effective date of the immigrant visa (the “green card”). Such gaps can lead to employees NOT being able to work for periods of time. Startups should use case management systems to track work visa dates, ensuring compliance and timely extensions. All nonimmigrant visas are valid for only limited periods of time, which vary from one to three years. Extensions should be commenced within four to six months of the expiration date. Determinations to proceed with a green card process should be made within four years of the expiration date of the nonimmigrant work visa.

As companies grow, it is critical to establish and maintain a formal I-9 policy…

Startups often lack written immigration policies that include provisions for hiring foreign nationals, an I-9 completion and maintenance policy, and an E-Verify policy. As your company (and workforce) grows, development and implementation of immigration policies and practices will facilitate compliance with applicable U.S. immigration laws and minimize exposure to serious civil and criminal penalties. A single employee can trigger liability for violation of I-9 violations.

Original published by JD Supra Perspectives.

Hiring Considerations for Startups: A Checklist

All Resources// HR & Employment

…startups lack resources to hire human resources professionals, and employment-related issues are a distant priority.

For a startup to succeed and grow, it must develop a supportive workforce. The hiring process is challenging for all employers—including startups, which are preoccupied with just that, starting-up. They are focused on developing their technology and securing capital. Generally, startups lack resources to hire human resources professionals, and employment-related issues are a distant priority. Navigating the hiring waters is difficult, but sensitivity to a number of issues can ease the process:

Compensation

Employee compensation is often challenging for startups. How can you possibly hire employees when you do not have consistent revenue streams? How can you get quality employees when you cannot afford to pay them top dollar? Fear not, other options are available. Exempt employees, such as the startup’s executives, can be paid with a mix of salary and equity. Compensation terms should be memorialized in an employment agreement, and signed by both the startup and the employee.

Offering Equity to Executives

Things to consider when issuing equity are: (1) should the shares be subject to forfeiture if the employee leaves in a couple of years; (2) should the company have the right to repurchase the shares from the employee; (3) how should the share be valued—zero or fair market value (zero valuation has the least tax implications for the employee); (4) should the shares be voting or non-voting; (5) should there be restrictions on transferability, rights of first refusal, drag-along obligations, and other similar provisions that are customary in an arrangement of this type.

Incorrectly classifying a worker can result in liability for the payment of back wages and payroll taxes…

Classifying Workers

While qualifying executives and exempt employees may be paid with a mix of salary and equity, non-exempt employees must be paid at least minimum wage. Non-exempt employees are also entitled to overtime pay after working a certain number of hours. Startups should pay attention to the engagement of workers who call themselves “consultants” or “contractors” because they could be employees for wage and hour purposes. A multi-factor test evaluates whether the worker is indeed an independent contractor. Incorrectly classifying a worker can result in liability for the payment of back wages and payroll taxes. Appropriately classifying workers will save the startup from headaches later.

Non-Disclosure Agreements

Businesses succeed because of a novel idea, and protecting that idea is critical. Before sharing the startups’ “secrets” or intellectual property, and risking the public distribution of your good idea, employees should sign non-disclosure agreements (NDA). The NDA should specify the type of information that is confidential, and how the information can be used without running afoul of the agreement. The NDA should describe how employees should maintain the company’s confidential information, including prohibiting employees from storing confidential information on their personal computers and prohibiting them from sending confidential information to their personal email addresses. The NDA should also restrict employees from taking confidential information outside the office and require employees to return confidential information if they are terminated. If properly drafted, NDAs are good deterrents to intellectual property leaks.

If properly drafted, NDAs are good deterrents to intellectual property leaks.

Non-Compete and Non-Solicit Provisions

To protect the company and employees, startups should include non-compete and non-solicit provisions in their employment agreements. The duration and scope of the non-compete, and the period for not soliciting employees and customers, must be reasonable in order to be enforceable. Most states have specific guidelines for what constitutes reasonable and these should be followed.

Assignment of Intellectual Property

Startups should have policies and agreements in place with all of their employees regarding what happens to the intellectual property designed, devised, developed, perfected or made by its employees. Ideally, there should be an agreement in place assigning all intellectual property to the startup.

Telecommuting

Startups often have employees before they secure office space, making working remotely the only option. Telecommuting can raise several issues for employers, particularly if non-exempt employees are working remotely. Working hours for non-exempt employees should be tracked, and these employees may be entitled to meal and rest periods or paid sick time.

Job Descriptions

In addition to the job duties, job descriptions should detail the amount of education and experience required to perform the job duties. Job descriptions help the startup assess the skills required of a future employee, set performance expectations, support employee classification decisions, and help evaluate accommodations for disabilities.

Documenting the reasons for your hiring decisions can help defend them if someone later accuses you of discriminatory hiring…

Interviewing Potential Employees

Be warned that bad interview questions exist. Questions about protected classes like age, religion, and disability should be avoided. Do not ask candidates about their retirement plans or when they plan to have children. Prepare a list of questions to ask. Questions should focus on job-related skills and qualifications. Ask every candidate those questions, and tailor the follow-up questions based on their responses. Take notes about the interviews. Document your impressions of candidates immediately after the interviews. Documenting the reasons for your hiring decisions can help defend them if someone later accuses you of discriminatory hiring.

Offer Letters

Offer letters memorialize the employee’s job title and compensation, and give employers an opportunity to document the “at-will” employment relationship. “At-will” employment means that employers can terminate the employee at any time for any reason, just as long as the reason is not discriminatory. Making employment decisions based on an individual’s protected class—race, age, religion, gender, etc.—is discrimination and should be avoided at all costs.

Company Policies

An employee handbook probably is not at the top of a startup’s list when it has only a handful of employees. But having a sexual harassment and discrimination policy in place early on can protect the startup later. A sexual harassment policy with a complaint procedure is a defense to a sexual harassment claim. Before hiring any employees, it is also a good idea to have an equal employment opportunity policy.

Originally published by JD Supra Perspectives.

What Every Company’s Board Must Know About Cybersecurity

All Resources// Cybersecurity// Securities

In recent years, data breaches at some of the world’s largest corporations have made news. But smaller companies are just as vulnerable, and must take steps to protect their data. In addition, businesses that serve as vendors to other businesses face increased scrutiny of their cyber preparations. The board of directors plays a critical role in this effort, as Jo Cicchetti, Chair of the Carlton Fields Data Privacy and Cybersecurity Task Force, explained during a recent conversation.

Why is cybersecurity a board concern?

The board’s primary responsibility is to protect the company’s assets and interests on behalf of the shareholder, and cyber risks pose serious threats to the business operations and reputation of the business. So, the board must take into account cybersecurity risks as part of its enterprise risk management duties.

Describe the risks posed by a breach?

If the worst happens, a company could sustain financial and business losses, damage to its infrastructure and reputation. Customers, business partners and regulators could bring legal actions. Class actions from customers could result, and the board could face shareholder derivative suits, alleging that it and its members did not meet their duty of care and/or duty of loyalty to the corporation. Not to mention regulatory enforcement actions that could also result. So, the stakes are high.

What must the board know about cybersecurity?

Board members are not charged with becoming IT specialists—they don’t have day-to-day management responsibility for the issue. But the board needs to know that cyber risks are being handled properly, that the company is taking steps to prepare for any cyberattack, can detect cyber intrusions and when they do happen can respond properly. It must make sure that management has an incident response plan. The board must ask its managers—such as the chief legal officer, chief privacy officer and chief information security officer—particular questions such as: How is the company managing data security? Do we have internal written information security programs [WISPs]? What are the threats particular to the company’s business? What security framework is the company using? Which risks to avoid, accept, or mitigate and what is the plan related to each? How are employees being trained? How do we manage our vendors? What plan is in place for breach response, and who is in charge of that plan?  Those are just some of the questions, but the important thing is that every department of the company—legal, IT, HR, operations—needs to communicate and work together. There can’t be a silo mentality.

How active a role should the board take with respect to cybersecurity?

Board members must take a regular and active role to make sure that cybersecurity and data governance issues are regularly reported to them by management. The topic should appear on the agendas for their quarterly meetings, and someone from either IT or the general counsel’s office should make a report addressing what’s happened in the last quarter—have there been incidents or events, and how have they managed any situations that arose? Vendor compliance should also be discussed, as well as any threats that result from customers’ and third-party access to company information systems, and how to address them. Also, the board needs to know that the right professionals are in place to advise the company.

Who are the right professionals?

A company needs access to technology experts, forensics experts, and privacy counsel. They need not necessarily be on staff, but must be identified and retained in case their services are ever needed. Everybody needs to be prepared and ready to go if a problem develops. You also need to have outside counsel onboard. The first 24 hours are critical. Retaining a public relations professional is also a good idea.

How else can the board help prevent data breaches?

The board cannot prevent data breaches, but there is a lot that can be done, and the board needs to know that the right steps have been taken. For example, employee training programs are critical because data breach situations often arise as a result of employee error or misconduct. There must also be a protocol or plan for incidents, and vendor due diligence and oversight is also important. Protecting against threats requires a multidisciplinary approach that involves the chief legal officer, chief information security officer, and human resources all working together. And, board members need to ask these people the right questions, which might include: What security frameworks are we using? Which company assets are the ‘crown jewels’ that need protection? What are the legal implications of cybersecurity incidents, and how do we avoid them? What risks should we accept? Do we get insurance? How are our employees being trained? What kind of testing do we do?

What role should cyber risk insurance play in a company’s overall plan?

Right now, cyber risk insurance is an evolving area. It is very expensive and doesn’t eliminate a company’s need to have a data security plan and proper implementation. The insurance company underwriting the policy will want to know that the company is taking the right steps before it insures the risk. Ultimately, if a company hasn’t done what it told its insurance company it would do, its coverage could be jeopardized.

How do state breach laws impact a company’s data breach strategy?

There is a patchwork of 50 state laws. A company’s legal department must understand the legal requirements in each of the 50 states. Normally, companies solve to the most difficult jurisdiction, setting up procedures that comply with the most stringent requirements where possible. The process is further complicated by the fact that states also differ in how they define a breach. And the laws are constantly changing. For companies without large internal legal resources, outside experts—such as privacy lawyers and technology consultants—are critical.

Is there any way to eliminate the risk?

There’s no way that anyone—even an organization with all the money and time in the world—can prevent attacks 100 percent of the time. Even the NSA, with its unlimited resources, was hacked. Companies just need to make sure they’re taking reasonable steps to deal with the risks and continue to stay informed. This is an area where it is very important to keep up with the Joneses.

HR Challenge: 4 Steps to Find and Fix Overtime Misclassifications

All Resources// HR & Employment

In light of the United States Department of Labor’s (“DOL”) June 30, 2015 report and proposed amendments to the salary portion of the ‘white collar’ exemptions that would more than double the minimum salary of those exempt employees under The Fair Labor Standards Act (“FLSA”), many employers will begin taking a closer look at their employee classifications. This article generally provides advice relating to exemption audits and related corrective action; however, advice about making exempt status changes while an overtime lawsuit is pending lies beyond this article’s scope; obviously, in the midst of litigation, corrective action presents tactical considerations. State wage-hour law is also not addressed here.

The FLSA requires employers engaging in interstate commerce to pay overtime compensation to non-exempt employees, for all hours over 40 that such employees work in the work week, at a rate not less than one and one-half times the employee’s regular rate. Compliance requirements relating to overtime pay obligations are explained in detailed regulations promulgated by the DOL, and in DOL opinion letters which construe those regulations.

Because there are a number of FLSA overtime exemptions, and because the tests for these exemptions can be difficult to apply in practice, many employees are misclassified by businesses which have no intent of evading applicable law. In fact, a majority of employees in the American work force are non-exempt under the FLSA and DOL regulations, and thus entitled to overtime pay. So mistakes are made. And, if the proposed amendments become law, those mistakes will become even more expensive.

Of course, all companies want to avoid FLSA litigation, and HR managers, trying to keep their employers out of court, must be proactive in auditing classification decisions. In addition, job responsibilities evolve over time. Many HR exemption audits reveal situations where it is discovered that employees have been misclassified and are entitled to overtime pay. It is obviously best to “fix” this kind of problem as soon as it is discovered by HR.

Here are the steps to employ in conducting a self-critical audit and corrective plan:

Step 1: Is the employee exempt?

The starting point for any HR manager auditing possible misclassifications is a review of jobs falling in a band consisting of the lowest employer pay grades (start with the lowest exempt pay grade, and work up). These lower-paid exempt employees are typically at the greatest risk of misclassification. After identifying the exempt employees who will be subject to analysis, begin your audit by reviewing organizational charts to determine who these employees report to and whether anyone reports to them. Review employee job descriptions to determine the job’s primary duties and percentages of times likely allocated to those job duties. Then consider which exemptions are the most likely to apply to that employee. There are various exemptions, but the most common exemptions are among the so-called ‘white collar’ exemptions. Many employers, in particular, base exempt status determinations on the administrative and executive exemptions.

To be exempt under the administrative exemption, the employee should be: (1) compensated on a salary basis at a rate of not less than $455 per week; (2) whose primary duty is the performance of office or non-manual work directly related to the management or general business operations of the employer or the employer’s customers; and (3) whose primary duty includes the exercise of discretion and independent judgment with respect to matters of significance.

For the executive exemption, the employee should be: (1) compensated on a salary basis at a rate of not less than $455 per week; (2) whose primary duty is management of the enterprise in which the employee is employed; (3) who customarily and regularly directs the work of two or more other employees; and (4) who has the authority to hire and fire other employees or whose suggestions and recommendations as to the hiring, firing, advancement, promotion or any other change of status of other employees are given particular weight.

Note that if the amendments to the FLSA are enacted as proposed, the salary basis test for these ‘white collar’ exemptions will more than double from $455 to $970 a week. The proposed amendments do not suggest alterations to the duties portions of these tests.

While these are the tests for the administrative and executive exemptions, note that these exemptions, and the other exemptions, are construed at length in DOL regulations, case law, and DOL opinion letters. That means management’s intuitive sense about applicable legal requirements might be incorrect. If you have access to corporate attorneys, talk to your counsel about applicable exemptions if you have any doubt as to their scope and how they apply to the business. There are also some lesser-known exemptions, and counsel can assist with identifying and explaining them, so that jobs are analyzed consistent with DOL guidance.

After reviewing applicable job descriptions, organizational charts, and noting which exemptions are candidates for consideration, interview mangers of the employees to find out what the employees are actually doing. Just because an employee is hired to do an exempt job does not mean the employee is really doing an exempt job. Bear in mind that under-performers can cause FLSA liability problems. If an employee who is supposed to be performing an exempt job is underperforming (e.g. paralyzed by indecision, or not well-respected enough to be included on hiring decisions), the employee may not be exempt. The law looks at what the employee actually does, not what the employee is supposed to do, in deciding whether an exemption applies.

After analyzing whether the actual job duties fall under one of the exemptions, and upon reflection, whether any other exemptions should be considered, you should determine how confident you are in the asserted exemption. If the exemption feels “iffy,” the facts will most certainly play out even worse in a courtroom after extensive discovery. The FLSA is narrowly construed against the employer and in favor of finding an employee non-exempt. If you are not convinced the employee is exempt, you should assume that neither a judge nor a jury will be convinced as well.

If you are not sure whether an exemption is applicable, discuss the situation with your employer’s counsel. If counsel concludes that the position is exempt, you can use your attorney’s self-critical audit letter to prove good faith and defeat liquidated (double) damages and an additional year to the statute of limitations (two years instead of three) if there is a subsequent lawsuit. If the self-critical audit letter reveals the employees have been misclassified, the letter is privileged, protected from discovery. Although the expense of using attorneys is always a consideration, attorney involvement in exempt status audits can be a win-win approach.

Step 2: Questions for HR to Consider when Evaluating the Results of an Overtime Audit

After you have conducted your audit, there are a number of questions that HR should consider when evaluating options. Some of these questions are posed below. Critical analysis of the information elicited by these questions can assist you in deciding how to evaluate the results of your audit.

For example, give some thought as to whether the employees are actually working overtime. If the employees are not working overtime, or much overtime, there is less of a concern. Can you estimate the possible financial exposure presented by the misclassification? What kind of records does the employer maintain? Does the employer already keep track of hours?  Should the employer start keeping track of certain exempt employees’ hours and/or implement a no-hours-over-40 rule for some exempt staff? However, note a direction to employees not to work over 40 hours can create its own problems when employees think the employer means “work off the clock” or lower level supervisors suggest, without HR approval and in spite of handbook provisions, that the employer really wants staff to “‘work off the clock.”

HR may need to convert the employee to an hourly wage that is lower than their annualized salary. This could create morale issues, but with the right person delivering the news, it is possible that the employee will understand that he or she will still be making the same amount given the projected overtime hours. Caveat, be careful in lowering the hourly rate after an employee complains about his pay to avoid retaliation claims.

In analyzing the audit results, also consider how many employees are affected. How big is the employer’s classification problem? Are a few employees misclassified or the masses? Are employees with similar duties classified the same?

You will also want to consider whether reclassification is going to affect employee morale. Employees like the idea of freedom and prestige that is often associated with exempt positions. In reality, however, many employers still require exempt employees to keep some sort of regular working hours.  Most employees want to be exempt. Employees may believe reclassification to non-exempt status is undesirable. You should also consider whether the reclassification puts the business in a competitive disadvantage in the industry.

When there is resistance to a change in classification on the ground of cost, you should get management to think through the risks associated with not making a change. Litigation is expensive. Think an insurance policy covers misclassification claims and that the employer’s liability will be limited to the retention? Check the policy carefully. Most EPLI policies exclude FLSA misclassification claims.

Step 3: What to do when Management has decided not to Reclassify

If management makes a decision to stick with an exempt classification, what steps can you appropriately take, as an HR manager, to support that classification?

First, consider whether it is possible to limit employee work in the job classification to 40 hours per week. Eliminating overtime hours eliminates possible exposure for a misclassification. If overtime is required in the job, consider whether it should be monitored by requiring prior management or HR approval.

You should review employee job descriptions associated with the classification. Do they accurately reflect the employee’s duties? Do they need to be updated so that important primary job functions are highlighted? Remember, courts and DOL look to the actual job duties the employee performs, so it is the business reality which is critical, not the job description, but it is helpful in the event of litigation or a DOL audit if the job description is as accurate as possible.

When employees file lawsuits, the employee’s attorney will point to the most menial job duties associated with the position to make the point that the employee is non-exempt. One way to soften such an argument, or eliminate it altogether, is to reassign clearly exempt duties to the job at issue, so that the work associated with the position is as responsible as possible.

Consider asking employees to submit self-evaluations, either as part of your classification review, or as part of your annual performance evaluation process, where employees describe their most responsible duties and the percentage of time allocated to those duties. If this review is helpful, ask employees to sign and date those self-evaluations. The employees will want a raise and/or bonus, and the employer will find few menial tasks listed by the employee as part of the survey. This is not going to be dispositive in the event of litigation, but it can be helpful evidence. The credibility problems it creates for the employee has the potential to produce a faster and more inexpensive resolution.

Step 4: What to do when Management has decided to Reclassify

As with all things in life, timing matters. Reclassification of exempt personnel following an HR audit takes effort and a well-conceived game plan.

The first big question is when to make the switch. HR could tie the reclassification to annual reviews, pay increases or bonuses. Don’t have one of those in the near future? Does the employer give raises and bonuses at the same time each year? If it makes business sense, why not switch the bonus to a midpoint between the annual evaluations. It would give the employer a reason to have the reclassification discussion with the employees, while at the same time handing the employees money in form of a bonus. And, separating the timing of the bonus from annual pay raises might be championed as rewarding employees more than once a year. Employers could also tell employees that it is time to change the compensation structure.

Bear in mind that you will need to communicate the reclassification. Do not admit an employee was classified incorrectly! In addition, PLEASE do not make such a statement to the misclassified employee. Also, DON’T put this news in an email, or even in a business communication to senior management. Those emails will probably be discoverable in the event of litigation.

HR can explain to employees that the laws are vague and HR is making a few changes with regard to overtime pay to make sure the employee is being treated fairly. HR can say something vague like it wants to make sure that employees are rewarded for their hard work. But DON’T admit non-compliance.

There will be employee questions. If the same person is not delivering the news to all, there should be a memo or written notes indicating talking points. If management is communicating the news to staff, then HR should help prepare managers/supervisors regarding questions that can reasonably be anticipated under the circumstances.

Just like with timing, delivery is also important. The spokesperson should be a “people person” with well established good social skills. Do not send the office curmudgeon to deliver the news to employees. It should be delivered by someone who is respected, someone with social and emotional intelligence, and someone who is “plain old nice.” Happy employees who believe they are being treated fairly and respected are less likely to seek legal advice, which in turn can result in litigation.

Here is a big question: what approach does the business want to take regarding payment for past overtime hours worked by the employees? In considering this question, HR should find out whether the misclassified employees have been asking for past overtime compensation. Are all of the employees going to want past overtime if there is a decision to pay someone who has complained? How much is owed to the single employee and/or all misclassified employees? How arguable is it that the employee was actually exempt?

Don’t try to negotiate some kind of overtime settlement with staff, where employees sign a release. In the Eleventh Circuit (Florida, Georgia & Alabama), an employer and an employee cannot privately resolve a disputed wage claim and execute a binding settlement agreement. An employer would need court approval or the Department of Labor to supervise the settlement for it to be binding. These are typically not viable options, unless there is a pending lawsuit (this article doesn’t address strategy under such circumstances).

Some businesses ask employees to sign short releases when they have decided to pay back overtime, even though management and HR knows the releases are unenforceable. I don’t recommend that approach. If you take that approach, some would argue you are really just tricking your employees, and acting in bad faith.

One approach for payment of past overtime hours worked is to pay back overtime in an unobtrusive manner. With this approach, back overtime is simply included in the pay check as a line item, without much or any explanation, other than possibly a very short truthful memo indicating that an employer audit has indicated prior unpaid compensation due to the employee, and that the business is paying what was found due and owing in connection with the audit. This can be a good approach in situations where little overtime has been worked, and not much needs to be paid. Obviously, the greater the payment, the more there is a need for an explanation.

Good luck with your audits and dealing with misclassifications.

10 Tips for Minimizing Liability for Terminating Employees who Steal Trade Secrets

All Resources// HR & Employment// Intellectual Property

When your company uncovers evidence that an employee misappropriated trade secrets it must act swiftly. The company may want to fire the employee to protect itself from the potentially devastating consequences. But how can you minimize the risk that the employee may sue the company claiming he did not misappropriate trade secrets?

These tips will minimize the risks posed by an employee’s claim:

1. Inventory your trade secrets and have clear policies

You should know what your trade secrets are and the protocols in-place to safe guard them. There should be policies about access to and use of trade secrets that are informed by the Uniform Trade Secrets Act and the Computer Fraud and Abuse Act. Your policies should be clear that the company owns the computing systems and data and that unauthorized use and misappropriation is strictly prohibited. Crafting a policy and protocol that passes muster with regulators is tricky, however, so you should consult an experienced attorney.

2. Once you learn of possible misappropriation, involve HR

Human resources professionals are experienced in handling employee discipline and terminations and can help you avoid potential pitfalls. They can provide objective oversight that will strengthen any decision adversely affecting the employee.

3. Don’t act hastily

Never base the decision to terminate an employee on rumor or speculation. You could be held liable for wrongful termination if the decision is based on misinformation supplied by a manager. You should thoroughly investigate suspected misappropriation, and consider placing the employee on paid leave (without access to company computer systems) to minimize liability in the event that misappropriation did not occur.

4. Make sure it’s actually a “trade secret”

Employers may think that any business-related information is a protected asset However, state and federal regulators have taken the position that much information related to employees’ wages and working conditions is not protected as confidential, and therefore an employee cannot be fired for disclosing it. Similarly, courts look closely at what a company may cast as a trade secret. If the information has not been protected by the company or is available in the marketplace it may not be a trade secret.

5. Check the contract

When deciding whether to terminate the employee, review their employment contract, if there is one. A contract may spell out procedures you must comply with, notice you must provide, or create other obligations.

6. Don’t discriminate

When considering whether to terminate an employee, make sure you treat the employee the same way you have treated other employees who have done the same thing. If you discipline the employee more harshly than another, they could claim it was based on a protected characteristic such as race, age, etc. Keep in mind too, that the way in which you punish the employee will set the standard for how you treat similar offenses in the future.

7. Be civil

Be mindful about the manner in which you convey the termination. Some jurisdictions recognize a cause of action for negligent infliction of emotional distress where an employee is treated unreasonably (i.e. too harshly) during the termination process. For example, don’t fire the employee publicly or in a humiliating manner. Also, to limit the risk of a defamation claim, the termination details should be shared only on a need-to-know basis. You should ensure that the message is delivered with a witness in the room.

8. But don’t sugarcoat

Although you must be civil, you should ensure that you are consistent in stating the reasons for the discipline; i.e., the misappropriation. Providing conflicting explanations can suggest an improper motive and invite a lawsuit. In particular, you should ensure that the explanation provided to the state for unemployment purposes matches the true reason for termination.

9. Don’t forgo compliance

If you believe an employee stole trade secrets, it may be tempting to hold their final paycheck or otherwise retaliate against them. However, you need to ensure compliance with wage and hour law, COBRA requirements, etc. The fact that the employee stole trade secrets will not be a defense to a claim under these laws.

10. Document everything

Jumping through all of these hoops is worth little if you don’t document your actions. Thorough documentation will give you the best chance if the employee decides to sue you. But, of course, take care to maintain the confidentiality of privileged communications with your attorneys and their work product.

Keeping these tips in mind will put you in a stronger position to defend any claim a former employee brings.

How Companies Can Protect Their CEOs and CFOs from the “Business Email Compromise”

All Resources// Cybersecurity

Cyber scammers continually innovate new means to extract valuable information from unsuspecting victims. And a new form of cyber fraud is exploiting the close relationship between CEOs and CFOs. Identifying this threat — and the means to prevent it — is important for employees in IT, finance, and compliance.

Plenty of Phish in the Sea

First, some definitions. “Phishing,” the use of online communications such as mass emails or recorded telephone calls to trick users into giving out sensitive information, has become routine. In phishing, the criminals often pose as a legitimate company to obtain financial or personal information. “Spear phishing” is a targeted phishing attack against specific individuals within specific companies, in which the fraudsters deploy personalized emails or other forms of online contact. Spear phishing’s high-achieving younger brother — “whaling” — uses the same techniques to aim tailored lures at upper management. Successive spear phishing often precedes a successful whaling attack, as the criminals climb the corporate ladder with the ultimate goal of parting the company from its money or committing corporate espionage.

The “business email compromise” is a similar scheme that targets businesses working with foreign suppliers. In this fraud, the criminal uses a spoofed or hacked email address of a business insider to prompt the business to transfer an urgent wire to the hacker’s account.

This article will explain a form of the business email compromise that borrows elements of whaling to target CEOs and CFOs. We will then suggest some methods to defeat it.

In whaling, successful attackers first research the executive’s social media sites, corporate webpages, and professional writing so that the email or phone call that lures the executive is tailored enough to avoid suspicion. The criminal’s initial legwork also determines what level of access the executive has to company secrets or what might be the easiest way to part the executive from her money or credentials or the company’s funds or intellectual property. The scammer may pose as the company’s bank, the CEO’s private banker, a BMW salesperson, or a family member. The goal of traditional whaling is often to obtain bank account or other personally identifiable information from the executive, for later use in identity theft.

Although whaling is usually done in small numbers, perhaps the best known example is a large one. In 2008, scammers sent thousands of C-suite executives an email message that appeared to contain official subpoenas from a federal court in San Diego. The email text contained the executive’s name, company, and phone number. The link embedded in the message promised access to the full subpoena, and, when clicked, prompted the recipient to first download a browser add-on. The downloaded file secretly contained a program that captured the executive’s keystrokes, which it transmitted back to the hackers, capturing passwords and corporate information. In total, approximately 2,000 of the targeted executives fell victim.

And these crimes persist. In May of last year, the U.S. Department of Justice announced the federal indictment of five Chinese military officials for what amounted to a major whaling operation waged against six U.S. companies. At one victim company, these officials allegedly posed as the company CEO in sending an email to approximately 20 employees, which contained a link to malware that allowed the officials “back door” access to the company’s computers.

Re-Baiting the Hook

The whaling version of the business compromise email, and a variant of the scheme that is currently in vogue, has a more immediate return —its sole goal is to part a company with cash.

The scammer first either hacks into or spoofs the CEO’s email address. A spoof is an email address that appears to be the same as the CEO’s address, but is really sent from another, hidden email account. A spoof can also approximate the email address but, for example, insert an extra letter in the text preceding the “@,” change the letter “l” to the digit “1,” or add an alternate variation of the corporate standard, such as using “jeclabby@” (note the correct middle initial) rather than “jclabby@”.

After having achieved the ability to send an email that appears to be from the CEO, the scammer then sends an email from that address to another executive with the authority to wire a large amount of money on short notice, and this is often the CFO. This email will contain instructions to wire corporate money to a new account of a known corporate vendor or business partner, often at an offshore bank, and to do so as soon as possible. The CFO, wishing to be as responsive as possible to the CEO, will drop everything to execute the wire. By the time the company realizes the transaction was not authorized, sometimes by calling the actual vendor to confirm payment, the money is long gone from the recipient account or otherwise unrecoverable.

This scheme succeeds because the spoofed email itself often contains a PDF file of an invoice that appears to be from a real company that does business with the victim company and because the email text and header information otherwise contain the hallmarks of an actual business communication for the company.

But the scheme also succeeds because the criminal has deployed techniques known collectively as “social engineering,” a form of manipulation in which knowledge of human behavior is used to influence it. Through use of social engineering, the criminal gains money, information, or access not through fancy code or brute-force computer power, but through the more traditional tools of the midway grifter. In this case, the scammer marries an artificial sense of urgency (“this must be done immediately!”) with the target employee’s desire to please his boss. The scheme succeeds because the CFO’s special relationship with the CEO fogs his vision of the fraud that is right in front of his face.

How to Stay Off the Dinner Plate

Advice to lock your door at night does little to stop you from opening that door to a criminal who is dressed as a police officer. Similarly, firewalls and antivirus software have limited effect against a business compromise email targeted at senior executives in this fashion. The following tips will help you develop a program at your company to combat this type of fraud:

  • Strengthen Controls Around Irregular Wires: Review and strengthen the controls around wire transfers, and, in particular, international wire transfers. This could include (i) requiring two forms of communication (both email and phone, both text and email, etc.) before a wire will issue; (ii) requiring approvals from two different persons apart from the requestor to initiate a wire; or (iii) authenticated contact with the recipient party at the supposed foreign vendor before an internally authorized wire will issue. In (i) above, another best practice is for the recipient of the CEO’s request (in our examples, the CFO), to initiate the follow-up phone call to a known company or mobile number, rather than responding to “call me at xxx-xxx-xxxx with any questions,” because the planted phone number could be a part of the spoof. Companies that face repeated attacks may also deploy more complex arrangements, including the use of rotating verbal passwords. Companies that have grown rapidly but that still rely on informal methods of communication surrounding vendor payment are particularly susceptible to this fraud.
  • Improve Training for Finance Staff: Provide regular, periodic education to all executives and employees on computer fraud, including phishing and business email compromise, tailored to the particular employee’s job description, so that they will understand the danger these attacks pose and spot potential fraud. This training should be tailored in summary fashion for the C-suite. For the line-level finance or treasury employees, including those who actually process wire transfers, training should include clear direction that suspicious wires may and should be questioned up the chain of corporate command, without retaliation, and that part of the employees’ annual evaluation will include analysis of their contribution to fraud detection. Detection of this type of fraud can be included in the company’s annual training on vendor payment fraud.
  • Fund and then Audit Company Technology: Keep your anti-phishing software, operating system, and browsers up to date with the latest patches, and empower and fund your IT and data security staff commensurate with the risk that your company faces. Ensure that your regular penetration testing includes business email compromise, or other attempt to initiate a wire through direct emails to the finance staff.

The threat of whaling should be taken seriously by companies of all sizes, and particularly by companies that rely on fast-paced payments, that have vendors with multiple or changing receiving-bank information, and where executives work remotely from one another. In a matter of seconds criminals can compromise sensitive information, wire money internationally, and leave companies devastated. To minimize their susceptibility to such a breach, companies must arm themselves with a combination of awareness, training, and preparation of the IT defenses.

Removing the Hook

If you believe your company has been the victim of such an attack, contact law enforcement, such as the Federal Bureau of Investigation, the U.S. Secret Service (through the Electronic Crimes Task Force in your city), or state or local law enforcement, to report it. If the attack is caught in progress or detected shortly after the wire transfer, get law enforcement involved immediately. Federal law enforcement’s relationships with banks and the international money transfer system, in particular, may allow them to recover your funds or, at least, collect evidence for a successful prosecution.

These attacks are embarrassing for senior executives and involve the loss of real money. As such, working through the aftermath to determine what happened, what if anything can be done to recover funds, and how to prevent a future attack, is a complex task. Consider involving experienced outside counsel to work on your behalf with law enforcement to sort through the evidence, monitor the efforts to track any disbursed funds, and otherwise protect the company’s interests. When dealing with this kind of attack, the last thing a company needs is to be alone at sea.

A Different Kind of Data Breach: Loss or Disclosure of Company Information by Employee Theft

All Resources// Cybersecurity// HR & Employment

Data breaches are all over the news, but those stories most often cover high-profile cybersecurity breaches that result from the malicious efforts of hackers or other outsiders. Just as insidious, and more likely to occur, are insider breaches in the form of the theft or disclosure of confidential company information by a current or recently departed employee.

Employee theft of company data may be motivated by a desire to monetize that data, to embarrass or retaliate against an employer, or by simple ignorance. For example, a Tufts Health Plan employee recently pled guilty to data theft after stealing customer information for more than 8,000 Tufts customers in a scheme to collect fraudulent Social Security benefits and tax refunds. In another recent case, a disgruntled employee of Morrison’s, a large UK supermarket chain, stole payroll information for thousands of the company’s employees and posted it online as a “concerned Morrisons shopper,” in addition to mailing copies to local newspapers. Finally, in one of the largest of the recent employee data theft cases, a Morgan Stanley financial advisor apparently obtained data from 350,000 Morgan Stanley clients by running internal reports on data he was not authorized to access. Some portion of that data was later uploaded online, possibly by a third party, and offered for sale.

A surprisingly large number of employee thefts, however, result from simple ignorance. In a recent Ponemon Institute survey, over half of the more than 3,000 respondents stated a belief that using competitive information taken from a previous employer was not a criminal act, reasoning that ownership of such information resides in its creator rather than the former employer. The respondents further justified transferring corporate data to their personal computers, tablets, smartphones, or to “the cloud” because of a belief that it didn’t harm the company, because the company didn’t enforce its policies, because the information was unsecured or generally available, or because that employee wouldn’t receive any economic benefit from doing so. Worse, in this same survey, more thanhalf of the employees surveyed admitted to taking information from a former employer and 40 percent of those employees admitted they intended to use it in a new job.

These disturbing statistics raise the question: What can employers do to prevent these losses? While there is no absolute preventative measure, steps can be implemented to greatly reduce the risk of such thefts and to detect any ongoing employee theft.

1. Implement Protective Policies and Agreements

Limit access to sensitive information to only those employees whose jobs require such access. This may include customer, employee, or vendor data, in addition to any other generally proprietary corporate data, such as financial models, formulas, etc. Access to the company network should be discontinued immediately upon termination of the employee or receipt of notice of intent to leave. The employer should also require that company laptops and other devices be immediately returned at that time. An additional benefit of limiting access to corporate information is that it makes the data far more likely to be considered a protectable trade secret under the Uniform Trade Secrets Act, which defines a “trade secret” as information that has been the “subject of efforts that are reasonable under the circumstances to maintain its secrecy.”

Put the company’s data security policies in writing

For example, the company’s employee handbook/manual/agreements should require employees to access and store company data only on company-owned devices and should further include a statement that the employee’s authorization to access the company’s network ends automatically when employment ends or when that employee has given notice of an intention to leave.

Implement appropriate restrictive covenants

These may go beyond the usual non-competition, non-solicitation, or non-disclosure clauses to include garden leave provisions, notice provisions, or forfeiture clauses. It is important to note before utilizing these provisions, however, that the enforceability of each varies significantly by state. Legal counsel should be sought before they are put in place.

Implement detection measures

To the extent possible, utilize your IT department to implement detection measures such as data loss prevention software (which limits the end user’s ability to transfer certain data and/or notifies the employer when an attempt to do so has occurred) or to monitor departing employees’ online activity in the last 30 days of employment. Studies have shown that 70 percent of intellectual property theft occurs within 30 days of an employee’s resignation announcement. Setting aside electronic means of detection, many data breaches are discovered by tips from other employees, which are more likely to be forthcoming if they can be made anonymously. Consider establishing a hotline that employees can use to report misconduct. Also, be aware of other red flags that may arise with respect to departing employees, i.e. statements regarding the employee’s desire or ability to harm the company, employee’s accessing of files not commonly used by that employee, or social media traffic that indicates an employee’s intentions to take corporate data to a competitor or use it as a basis for a new venture.

2. Educate Employees Regarding the Company’s Data Security Policies

The company must be clear with employees regarding the ownership of its intellectual property, appropriate use of company data, and the company’s willingness to enforce its rights if necessary. Employees should be informed of the employer’s data security policies at the time of hire. This should include, but not be limited to, a discussion of these policies in the interview, providing the employee with copies of all such policies, execution of appropriate restrictive covenants, and a request that the employee provide the company with copies of any restrictive covenants they have entered into with previous employers. Employees should then be reminded periodically throughout the term of their employment of the company’s data security policies, which can be as simple as a periodic reminder email from the company’s IT department or management. And, finally, the employee should be reminded again at the time that employment ends. This should be done in the exit interview, by follow-up letter, and by providing an additional copy of any restrictive covenants and data policies.

In the 2012 Global Fraud Study, conducted by the Association of Certified Fraud Examiners, researchers found that management’s failure to set the right ethical tone—i.e., that the company expects ethical behavior and treats its intellectual property and other proprietary data seriously and with appropriate care—was among the primary factors cited as the cause for employees’ theft of data resulting in a loss of $1,000,000 or more. Unsurprisingly, a lack of internal controls was, by far, the largest factor contributing to such thefts without regard to size.

3. Enforcement of Policies and Agreements

Depending on the applicable state law, a variety of civil claims may be available where data is stolen by a former employee. These may include, but are not limited to, breach of contract, misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act, conversion, tortious interference with contract or business opportunities, or, depending on the role of the departing employee, breach of fiduciary duty.

Criminal penalties may also apply but are outside the scope of this article.

While many companies have employed substantial resources to protect against outside threats, such as hackers, worms, or viruses, the risk of an internal threat often goes unaddressed. The great majority of data leaks, however, are caused by company insiders. To best address and prevent data loss, companies must first recognize and address this problem at its source.

Trade Secrets v. Patents: Protecting Innovation and Competitive Advantage

All Resources// Innovation// Intellectual Property

Patents have long been a method of protecting business innovation. However, before any patent is obtained, confidential innovation that has economic value and is not generally known may already be a trade secret, if it is the subject of reasonable efforts to protect its secrecy. Procedures to protect trade secrets, including computer and physical security; limiting information access to those who “need to know”; and non-compete, non-solicitation, or non-disclosure agreements, should all be considered carefully and employed before deciding whether to seek a patent.

Patents are governed by federal law. After repeated, recent high profile hacking thefts of business’ computer-stored data, Congress is poised to increase protection of businesses’ confidential and proprietary information including trade secrets. Until now, trade secrets were governed by each individual state’s adoption of the Uniform Trade Secret Act. All but two states have adopted some version of the Act. The remaining two rely on common law.  Although standards differ slightly from state to state, a trade secret can be any information that is not generally known that has independent economic value and has been subject to reasonable efforts to be kept secret. Trade secrets can include a formula, pattern, device, methodology, or compilation of information including business methods and confidential customer information or lists.

In 2015, for the first time, Congress is likely to pass a law incorporating a federal civil cause of action for trade secret misappropriation. Much valuable, confidential, and proprietary business information, such as customer lists and marketing plans, is incapable of patent protection. However, this “business” information is often a candidate for trade secret status.

Many inventions are potentially trade secrets before a patent application is published. In those cases where the sale of the product allows reverse engineering to determine the secret innovation, patent protection is the only viable option. In the United States, a patent application is usually published 18 months after filing and until publication, the application is secret. If the application is denied after publication, the information is public and fair game for use by all. Thus, before publication, a decision must be made regarding whether to continue with the patent application and lose trade secret status, or to withdraw the application and avoid publication, to maintain trade secret status.

As with the application for a patent, an attempt to protect intellectual property through trade secret law has risks. If there is independent development of the same or similar idea by another, that other could apply for a patent or use the information. The ability to reverse engineer a trade secret invalidates it. If the information is publicized, either intentionally or accidentally, it can lose its status as a proprietary trade secret. Trade secrets are regularly lost through theft by employees or third parties. This risk is heightened with increased work force mobility and the ease with which large amounts of data may be copied onto a hard drive, or photographed with a cell phone and taken for use by others.

The executive branch of the federal government is putting considerable effort into addressing the theft of corporate trade secrets by foreign and domestic hackers. However, despite large investment in computer security and government efforts it seems breaches are increasing. Trade secret misappropriation, whether by insiders or third parties, is often hard to detect. Trade secret status is not confirmed until done so by a court in a dispute over misappropriation. The litigation is often expensive. Most states provide for criminal liability for trade secret misappropriation and in some cases trade secret theft is also the subject of federal criminal liability. There are certain benefits to the trade secret owner in pursuing enforcement of rights through civil or criminal channels that should be reviewed with counsel.

Trade secrets have for some time been viewed as having two advantages over patents: the low cost of obtaining the rights, and an infinite duration. In the current legal environment, they may have become more attractive. A recent California court noted, in Altavion, Inc. v. Konica Minolta Systems Laboratory, “…because a substantial number of patents are invalidated by courts, resulting in disclosure of an invention to competitors with no benefit, many businesses now elect to protect commercially valuable information through reliance upon the state law of trade secret protection.” To establish trade secret misappropriation it is not necessary to prove that all the elements of the secret have been used. Instead, establishment of a cause of action can rest on access and substantial similarity. The level of novelty required to establish a trade secret is less than that required for a patent. The fact that there is some knowledge of the invention in the public domain may be enough to invalidate a patent but may be insufficient to void a trade secret.  Additional advantages for trade secret enforcement include the availability of damages for unjust enrichment and a lower bar for recovering excess damages for willful and deliberate misappropriation. Also, injunctions are generally easier to obtain in trade secret misappropriation cases. Reliance upon trade secret law as a substitute for patent protection, while inappropriate in many circumstances, offers an increasingly attractive alternative, especially where proprietary innovation is easily kept secret, is not likely to be duplicated, and cannot be reverse engineered.