News (All)

Sanctions Issued Against Party for Spoliation of Evidence

Posted: February 27th, 2017

Published In: The Suffolk Lawyer

 

 

A crucial issue for any business named in a lawsuit or that is on notice that it will be named in a lawsuit is the preservation of evidence, specifically electronically stored information (“ESI”).  Attorneys will typically send “litigation hold” letters to their own clients or opposing parties in litigation to ensure that all steps are taken to preserve all documents and ESI that could be relevant to the litigation.  Essentially, businesses are instructed that nothing should be deleted, removed, modified, etc. by anyone within the company while the litigation is pending.  When a client destroys evidence or is negligent in preserving evidence, it is considered “spoliation” of evidence and can lead to sanctions imposed by the Court against the party that is guilty of spoliation including, but not limited to, dismissal or striking of a pleading, monetary penalties, or a negative inference at trial.  The negative inference at trial can be incredibly damaging to a party because it permits a jury to infer that any missing evidence is missing because it negatively impacted that party’s case or defense.

The Commercial Division in Queens County recently dealt with this spoliation of evidence issue in Ferrara Bros. Bldg. Materials Corp. & Best Concrete Mix Corp. (“Ferrara”) v. FMC Constr. LLC, et al. (Dufficy, J.).  Plaintiff Ferrara commenced the lawsuit against FMC Construction LLC (“FMC”) and Casa Redimix Concrete Corp (“Casa”) claiming that Casa interfered with the contract Ferrara had with FMC to provide cement for a construction project.    Casa’s defense was that it did not know about the contract between Ferrara and FMC at the time it entered into its contract with FMC.  However, Ferrara alleged that Casa purposely backdated its contract with FMC to give the impression that it was entered into prior to Ferrara’s contract rather than after Casa’s principals became aware of Ferrara’s contract.

Given the issue with the timing of the contract between Casa and FMC, Ferrara sought in discovery (over seven years after the case had been commenced) the electronic data, specifically metadata that would reveal the true dates that the contract between Casa and FMC was prepared, modified, and executed.  In response to the request, an IT specialist submitted an Affidavit on behalf of Casa claiming that two years after this litigation was commenced, the computers on which the native information was stored had been replaced and discarded due to a need to update Casa’s computer system.  The Court made a point to note that this computer system replacement was not done through an automatic process but rather was a conscious decision by Casa to update its computer system in the midst of litigation.

As a result of the discarding of the information by Casa, Ferrara brought a motion seeking sanctions against Casa for spoliation of evidence.  The Court noted that a party seeking sanctions based on spoliation of evidence must show the following: (1) the party having control over the evidence possessed an obligation to preserve it at the time of its destruction; (2) the evidence was destroyed with a “culpable state of mind”; and (3) the destroyed evidence was relevant to the party’s claim or defense such that the trier of fact could find that the evidence would support that claim or defense.  VOOM HD Holdings LLC v EchoStar Satellite L.L.C., 93 AD3d 33, 45 (1st Dep’t 2012), quoting Zubulake v UBS Warburg LLC, 220 FRD 212, 220 (S.D.N.Y. 2003)

Considering that the timing of the contract between Casa and FMC was at the heart of Casa’s defense in the case regarding its knowledge of the contract between Ferrara and FMC, the Court found that the metadata Ferrara sought was relevant to the case.  The Court also found that, considering that the parties were in the midst of litigation at the time and Casa knew or should have known that the ESI regarding its contract with FMC would be relevant to the litigation, Casa had an obligation to preserve this ESI.  Lastly, the Court held that Casa had not presented any evidence to rebut the presumption that Casa was negligent and possibly even grossly negligent in failing to suspend its destruction of the computer system containing ESI relevant to the litigation.   As such, the Court found that Ferrara had established the factors necessary to prove spoliation and turned to the issue of sanctions.

In reviewing sanctions to be imposed against Casa, the Court noted that spoliation sanctions are often based on the degree of willfulness with respect to the refusal or failure to disclose information which ought to have been disclosed.  Hameroff & Sons, LLC v. Plank, LLC, 108 A.D.3d 908 (3d Dep’t 2013).  Further, when the party seeking sanctions is still able to prove its case or defense, less severe sanctions are generally appropriate.  De Los Santos v. Polanco, 21 A.D.3d 397, 398 (2d Dep’t 2005).

After reviewing the facts of this case and based on the fact that the Court believed that Ferrara could still prove its case even without the missing evidence, the Court determined that the appropriate sanction would be a negative inference at trial to the jury.  Essentially, what this means is that if the case goes to trial, the jury will be permitted to infer that the reason the metadata was not disclosed is because it would act against Casa’s defense that it was unaware of Ferrara’s contract with FMC prior to its own contract with FMC.

The importance of preserving evidence in anticipation of litigation cannot be stressed enough.  While it is entirely possible that Casa simply needed a computer system upgrade and did not realize it would be destroying evidence pertinent to the pending litigation, as seen here, courts will impose a duty on the business and its employees to have those holds in place to ensure that everything is preserved.  The fact that Casa was already two years into the litigation at the time of the computer system replacement made the discarding of ESI even more egregious and should serve as an important lesson to business owners as well as attorneys counseling their clients at the start of and throughout litigation.

Kanter-Lawrence Recognized with Excellence in Communication Award

Posted: February 26th, 2017

Long Island Business News has recognized Lauren Kanter-Lawrence, Esq, the Director of Communications at Campolo, Middleton & McCormick, LLP, as an “In-House Marketing & Communications Professional Leader” with an Excellence in Communication Award. The Awards recognize top industry professionals for distinction in marketing, communications, public relations, website, and graphic design. The honorees will be celebrated at an awards ceremony and breakfast at Crest Hollow Country Club in Woodbury on March 22 at 8:00 a.m.

As Director of ComLauren Kanter-Lawrencemunications for one of the fastest-growing law firms in the region, Kanter-Lawrence is tasked with implementing all aspects of the firm’s communications and business development strategy.  She drafts and ensures the accuracy of all communications including press releases, newsletters, client advisories, website, and other media.  She works closely with the firm’s senior attorneys on their business development initiatives, speaking engagements, and presentations, as well as drafting the content for these events.  Kanter-Lawrence is also tasked with developing relevant and interesting content for the firm’s popular Business Breakfast Series and other programs.  Drawing from her legal experience, she also oversees the firm’s in-house continuing legal education program, devising the curriculum for the firm’s full calendar of courses.

A graduate of Cornell University and Pace Law School, Kanter-Lawrence joined CMM in 2008 as an Associate attorney and rose to Senior Associate practicing in the areas of commercial litigation and corporate transactions prior to taking on the role of Director of Communications.  Before beginning her legal career, she focused on writing and editing at a book development company, where her work was published by several major publishing companies.

Do You Really Need A Revocable Trust?

Posted: February 25th, 2017

By: Martin Glass, Esq. email

Tags:

 

 

For many years now I’ve heard many attorneys tout the virtues of revocable or “living” trusts over Wills.  But, with the added expense, is the trust really necessary?  In many cases, no!  Now don’t get me wrong, there are many times when a revocable trust is the way to go, but there should be a need for it, not just a knee-jerk reaction or a scare tactic.

Below are several reasons that I’ve heard many attorneys give to get you to create a revocable trust as the primary method for disposing of your estate, followed by my response.

Reason: Using a revocable trust to distribute your estate provides a degree of privacy because the trust won’t be filed with the Surrogate’s Court and therefore won’t become a public document.

Response: Do you really care if someone sees your Will?  More to the point, do you know anyone who is going to go down to the Court to read it?  Unless you have a business or unequal distribution among your heirs, no one usually cares what your Will says except for the actual beneficiaries of the Will.

Reason: Property transferred into a revocable trust during your lifetime won’t be subject to the expense and delays of probate.

Response: I’ve found that more times than not, I end up assisting with the administration of a trust after the Grantor dies and the cost is about the same as if I did a probate of the Will.  Also, in either case, I always suggest to the fiduciary to wait seven months so there is no personal liability for any debts of the estate.

Reason: If you become incapacitated, the successor trustee of your revocable trust can manage the assets without the need for a court‑appointed guardian.

Response: A properly drafted Power of Attorney will allow your agent access and control to manage your assets should the need arise.

Reason: You can make changes to your revocable trust at any time.  But when you die, it becomes irrevocable, and the provisions that pertain to the disposition of assets to your heirs and charities will be administered by your trustee under the terms of the trust.

Response: You can do a new Will at any time, which becomes final upon your death.  The person you named as Executor of your Will then executes the provisions of your Will, carrying out your wishes, with the added peace of mind that the Court will ensure that the Executor is qualified to carry out your wishes and makes sure that he or she does so.

Reason: Your trust can include language that stipulates when distributions of income and principal will be available to beneficiaries, such as children, grandchildren or others. Your trust can include distributions for specific purposes such as for education or health care expenses. You can also include language for distributions based on attaining specific ages, such as one‑third of the principal is distributed at age 30, half at 35 and the remainder at 40.

Response: Virtually any provision that you can put into a trust with respect to how your assets are distributed can be put into your Will, including setting up ongoing trusts for future generations or having various stipulations.

Reason: When a surviving spouse remarries, or in the case of second marriages, the concern arises that a new spouse’s children could inherit assets and reduce what children of the first marriage might get.  In this case, a special trust provision (called a Qualified Terminable Interest Property trust, or QTIP) can be used to provide income to the second spouse while he or she is alive. After his or her death, the assets are distributed to the children of the first marriage.

Response: Again, almost any provision that is in a trust can be in a Will.  Although, in this case, because of a greater potential for a contested Will proceeding, I would recommend setting up a revocable trust and, to the greatest extent possible, keeping the transfer of assets outside of the Court.

Although though there are many times when a trust is not needed, the last example is actually a good reason to create and fund a revocable trust.  There are many other good reasons to create a trust.  Everyone’s situation is unique and should be discussed with a qualified estate planning attorney.

The information contained in this article is provided for informational purposes only and is not and should not be construed as legal advice on any subject matter. The firm provides legal advice and other services only to persons or entities with which it has established an attorney-client relationship.

CMM and Campolo Named “Best of Long Island” 2017

Posted: February 23rd, 2017

The Long Island business community has spoken, once again awarding Campolo, Middleton & McCormick and Managing Partner Joe Campolo with the top titles of 2017 Best Law Firm on Long Island and Best Lawyer on Long Island.

The annual Best of Long Island contest, presented by Bethpage Federal Credit Union, was especially fierce this year with nearly 800,000 votes cast.  CMM prevailed over a field that included many larger and long-established firms to take top honors in the Best Law Firm category, demonstrating the firm’s remarkable rise over the past decade.  Under Campolo’s leadership, the firm has grown from two lawyers to a robust and highly respected team of over 30 lawyers servicing clients in a wide range of practice areas, and continues to grow.

A premier law firm with offices in Ronkonkoma and Bridgehampton, the firm’s Long Island roots are deep.  Over the past generation, our attorneys—a roster that includes a former Suffolk County Executive, Suffolk County Attorney, County Legislator, State Assemblyman, Village Mayor, as well as judges, prosecutors, and Town and Village attorneys—have played a central role in the most critical legal issues and transactions affecting Long Island.  Clients and the news media have described CMM’s lawyers as “fearless” and “exceptionally talented,” possessing “deep knowledge” with a “first-rate intellect,” and having the unique ability to “effectively partner with clients.”

“Being voted the Best Law Firm on Long Island sends a strong message to the Long Island community of how united and loyal we are as a firm, and that means more to me than you could ever imagine,” Campolo shared with his team upon learning that the firm took top honors yet again.

Thank you to all of our clients, colleagues, and friends for your votes and for your confidence in CMM!

Newsday Coverage of M&A Panel Moderated by Joe Campolo

Posted: February 22nd, 2017

Businesses Borrowing More Under Trump, LI Lender Says
By Ken Schachter
kenneth.schachter@newsday.com

Executives are gaining confidence and borrowing more to invest in their businesses after the November election, a Long Island lending executive said Tuesday.

The average size of loans to small- and medium-sized businesses has grown from $45,000 last year to $50,000 or $55,000, said Ted Theodoropoulos, chief operating officer at Bohemia-based business lender National Business Capital. His remarks came during a panel discussion of the Trump administration’s impact on mergers and acquisitions, held at Marriott’s Courtyard Long Island MacArthur Airport in Ronkonkoma.

“They’re confident to take on the additional debt,” said Theodoropoulos, who advised business owners to “build a strong business” to advance the chances of a favorable M&A deal.

Speaking before an audience of about 90, another panelist, Robert Pospischil, said that acquirers see Long Island as “a lucrative place to expand.”

Pospischil, president of Holtsville-based Bissett Nursery and Bissett Equipment, said that SiteOne Landscape Supply LLC, a publicly traded Georgia company that acquired the Bissett companies in 2016, has a full-time M&A team. When dealing with seasoned M&A professionals, he said, smaller companies need to prepare.

“You don’t want to go into a gunfight with a knife,” he said. “You don’t want to leave money on the table. Be patient. Don’t be in a hurry. Do your homework.”

One of the biggest mistakes made by business owners is to fail to assess the worth of their businesses, said another panelist, Gregg Schor, chief executive of Ronkonkoma-based Protegrity Advisors LLC, which sponsored the event.

“They make the decision to sell that’s disconnected from the business,” he said of some owners.

Moderator Joseph Campolo, managing partner at Ronkonkoma law firm Campolo, Middleton & McCormick LLP, said that many people are “obsessed with their home’s value” but don’t know what their business is worth.

Yogesh Gupta, president and chief executive of Bedford, Massachusetts-based Progress Software Inc., said that a failed acquisition helped him prepare for a successful one when he led Mineola-based Fatwire Software. The veteran software executive said that a public company approached Fatwire about an acquisition in 2008. That deal fell apart when the prospective acquirer itself was bought.

“A bigger fish bought the middle fish that was trying to buy us,” he said.

A few years later, when EMC Corp. kicked the tires of Fatwire, Gupta said, the company was able to hand over data and documents because Fatwire never abandoned the M&A process. Within weeks of EMC’s expression of interest, he said, the company’s M&A advisers flushed out the eventual buyer, database giant Oracle Corp. That deal was announced in June 2011.

Read on Newsday website: http://www.newsday.com/business/businesses-borrowing-more-under-trump-li-lender-says-1.13157987

McCormick Elected to Serve as Twenty-First Dean of the Suffolk Academy of Law

Posted: February 15th, 2017

Patrick McCormickPatrick McCormick has been elected and will be installed as the Suffolk Academy of Law’s twenty-first Dean on June 2, 2017 at the Larkfield, East Northport, New York.  McCormick is a partner in the prestigious law firm of Campolo, Middleton & McCormick, LLP, located in Ronkonkoma and Bridgehampton.  In this role, McCormick will spearhead educational programs for one of the largest voluntary bar associations in New York State.

McCormick has served as Associate Dean of the Academy of Law for the last two years and is currently a member of the Suffolk County Bar Association’s Board of Directors.  In addition to serving as Chair of the Appellate Practice Committee, McCormick has served on the Commercial Division, Landlord/Tenant, and Real Property Committees.  He also served with distinction on the Academy of Law’s Strategic Planning and Curriculum Committees.  As Associate Dean, he has coordinated and has been a faculty member for numerous programs presented by the Academy.

At CMM, McCormick heads the Litigation and Appeals practice.  He litigates complex commercial and real estate matters and counsels clients on issues involving contract disputes, agreements, corporate and partnership dissolutions, trade secrets, insurance claims, real estate title claims, mortgage foreclosures, and leases.  His diverse legal career includes serving four years as an Assistant District Attorney in the Bronx, where he prosecuted felony matters and appeals and conducted homicide and other felony investigations at crime scenes.  He received his B.A. at Fordham University and his law degree from St. John’s University School of Law.

About CMM
Campolo, Middleton & McCormick, LLP is a premier law firm with offices in Ronkonkoma and Bridgehampton, New York. Over the past generation, CMM attorneys have played a central role in the most critical legal issues and transactions affecting Long Island. The firm has earned the prestigious HIA-LI Business Achievement Award and LIBN Corporate Citizenship Award, a spot on the U.S. News & World Report list of Best Law Firms, and the coveted title of Best Law Firm on Long Island.

About SCBA
The Suffolk County Bar Association, a professional association comprised of 2,800 lawyers and judges, was founded in 1908 to serve the needs of the local legal community and the public.  The Association develops and offers continuing legal education programs through the Suffolk Academy of Law, as well as public services, such as a Lawyer Referral Service through which members of the public are referred to lawyers with expertise in a wide variety of areas of law.  For information about this service, call (631) 234-5577.

Campolo’s networking strategy is focus of “Connector to the Business Community” feature in LIBN

Posted: February 14th, 2017

Many lawyers network in order to meet people who will bring them business. Attorney Joseph Campolo approaches his networking activities with a twist. Rather than trying to drum up business from the people he meets, he looks to introduce those people to others who can help them succeed.

In other words, he sets out to be a connector.

“People don’t care about what you need; they care about what they need,” Campolo said. “The way I network is not to try to get business from people. I try to see how I can help them – by making relevant introductions that will help them succeed.”

This helps him build relationships, which eventually lead to new business.

“People will want to do business with you or refer people to you if they like you and you bring them value,” he said. “Networking isn’t about managing transactions. New business is not going to come in five minutes over a bagel at a networking event.”

How to be a connector was the focus of a presentation entitled “Never Eat Alone: Put Your Network to Work in 2017” that Campolo made before 200-plus business people at a Hauppauge breakfast in January. (A similar breakfast was planned for this week in Southampton.) The connector concept is based on a book that Campolo read about 10 years ago, right before he co-founded Campolo, Middleton & McCormick, a law firm based in Ronkonkoma with a second office in Bridgehampton. Prior to starting the firm, he had been the president of a technology company.

“Trying to broaden my focus from the very niche tech space I had just left, I knew I needed to build a network,” Campolo said, noting he adopted some of the concepts from the book Never Eat Alone and Other Secrets to Success, One Relationship at a Time by Keith Ferrazzi as a framework to build his network.

Because of his experience in the tech sector, he had plenty of connections in the venture capital arena and was able to introduce investors to entrepreneurs and others who were seeking funding.

“I said, ‘Let me start being a connector and see how I could bring value,’ and that’s when the fuse lit – that’s how our firm has grown,” said Campolo, whose firm now has more than 30 attorneys.

When Campolo identifies someone who may be a mutual connector with him – such as the managing partner of an accounting firm – he might suggest they have a drink to talk about how they can connect each other to others who can help their business.

“It takes the pressure off the relationship,” he said. “Someone might be a nice person and a great connector, but if they’re constantly trying to sell you something, you’re going to avoid them.”

In considering which relationships have value, don’t keep score, Campolo suggested.

“You might think, ‘Geez, I sent this person a lot of work and they didn’t send a thing back,’” he said. But that doesn’t mean you should walk away from the relationship.

“You should be thinking, ‘Am I developing this relationship correctly, so that this person feels confident giving me work?’” he said. “If it’s a good relationship, you should be able to have an honest discussion. Ask if there’s something that is making them nervous about sending business to you so you can address it with them.”

However, if you don’t feel a connection in a relationship – and you don’t feel the opportunity is there for mutual benefit – then you can move on, and move on quickly. “But the key is, don’t move on just because you didn’t get something from them when you gave them something,” Campolo said.

Campolo said he likes to develop his relationships over food.

“I grew up in an Italian family and everything was about eating,” he said. “You can get to know someone in a more comfortable setting when you share a meal with them.”

The firm plans group lunches and dinner parties with multiple clients who complement each other, as well as meet-and-greets between its internal team and members of other firms, so “people can pair off with those who make the most sense for their individual networks.”

The firm also holds business breakfasts like the “Never Eat Alone” event to connect people with each other.

While many attorneys give lectures as part of their networking arsenal, they tend to focus on legal topics in their presentations. By giving a seminar on hot topics in employment law or changes to patent laws, for instance, attorneys can bring value to attendees while demonstrating their expertise in a particular area of the law.

Campolo, however, tends to focus on marketing topics in his talks.

“I consider myself to be not just a lawyer but a business owner in the business of selling legal services,” he said. “From that perspective, a large part of my day is spent working with our marketing and business development folks on marketing our practice to the Long Island business community, which I think appreciates business owners who can go out and give them practical advice about what does or doesn’t work.”

Campolo and his partners also give seminars on specific legal topics, but those on broader business themes draw considerably larger audiences.

The breakfasts, which are free for attendees who register in advance, started with 10 to 12 people and grew based on the connector concept – people were invited to bring a friend – to a steady attendance of 150 to 250 people for those with broad business topics.

Read it on LIBNhttp://libn.com/2017/03/13/connector-to-the-business-community/ 

Child Abuse Prevention Services (CAPS) Recognizes CMM with Corporate Citizenship Award

Posted: February 11th, 2017

Child Abuse Prevention Services (CAPS), Long Island’s leading organization dedicated to preventing bullying and child abuse, will recognize Campolo, Middleton & McCormick, LLP, a premier law firm with offices in Ronkonkoma and Bridgehampton, with a Corporate Citizenship Award at the CAPS 32nd Annual Spring Luncheon.   CAPS will honor the firm for its outstanding leadership and contributions to CAPS and the Long Island non-profit community.  CAPS will also honor Emily Lindin, author, filmmaker, and founder of The UnSlut Project, with a Community Leadership Award, and Allyson Pereira, an anti-bullying and sexting advocate, with a Champion for Change Award at the luncheon, which will take place at the Carltun in Eisenhower Park at 11:00 a.m. on Thursday, April 20, 2017.

Each year, CMM donates hundreds of thousands of dollars and hours to nonprofit organizations throughout Long Island and the metropolitan region.  CAPS holds a special place in CMM’s history, however, as the very first organization the firm supported.  Managing Partner Joe Campolo was CAPS’ first male board member, and Partner Patrick McCormick took the helm of the organization years later as President of the Board of Directors.

“CMM’s outstanding contribution to CAPS has helped make CAPS a leader in the field of bullying and child abuse prevention,” said Alane Fagin, CAPS Executive Director.  “We are thrilled to present the CAPS Corporate Citizenship Award to Campolo, Middleton & McCormick for their leadership role in community service to the Long Island non-profit and business community.”

To register for the event, please click here or call 516-621-0552.

About CMM
Campolo, Middleton & McCormick, LLP is a premier law firm with offices in Ronkonkoma and Bridgehampton, New York. Over the past generation, CMM attorneys have played a central role in the most critical legal issues and transactions affecting Long Island. The firm has earned the prestigious HIA-LI Business Achievement Award and LIBN Corporate Citizenship Award, a spot on the U.S. News & World Report list of Best Law Firms, and the coveted title of Best Law Firm on Long Island. Learn more at www.cmmllp.com.

About CAPS
Child Abuse Prevention Services (CAPS) has a 35-year history of delivering programs to over 850,000 Long Island schoolchildren, empowering them with strategies to protect themselves, speak out against bullying, and stand up for their peers.  CAPS creates islands of safety in classrooms across Nassau and Suffolk Counties, where children can feel comfortable discussing sensitive and personal issues.  CAPS is also a leader in professional development, working to give school personnel and social workers the tools they need to create safe spaces for children.  Learn more at www.capsli.org.

A New Cybersecurity Reality for the New York Insurance and Financial Services Industries

Posted: February 9th, 2017

Tags: ,

On March 1, 2017, the New York financial services industry will awaken to a new regulatory regime designed to set minimum standards for the development and functionality of cybersecurity programs.  The New York State Department of Financial Services’ (“DFS”) proposed cybersecurity regulation (the “DFS Rule”) will cover any institution doing business in New York pursuant to a license, registration, charter, or similar authority under New York’s Banking, Insurance, or Financial Services Laws.  Companies outside the financial services sector should also take heed, as regulators overseeing other industries may use the DFS regulations as a benchmark for what a “reasonable” cybersecurity program looks like.

The DFS Rule is motivated by the clear and present danger posed by cybercriminals who seek to access sensitive personal data and potentially cause significant economic harm.  Of course, privacy and consumer protection cannot be achieved without an investment of time and resources by the financial services industry, and companies need to start preparing for the new normal in the digital age.

At its broadest level, the DFS Rule requires companies to maintain a risk-based cybersecurity program that is designed to protect the confidentiality, integrity, and availability of the company’s information systems.  Under the rule, every company must implement and maintain a cybersecurity policy that is approved by a senior corporate officer or the board of directors.[1]  Every company must also designate a qualified employee to act as a Chief Information Security Officer (“CISO”),[2] as well as the capability to run penetration assessments of their systems,[3] create audit trails,[4] and ensure effective training and monitoring.[5]  Companies must ensure and periodically review risk-based access privileges designed to limit internal access to nonpublic information.[6]  The list goes on.

The DFS Rule is in some ways more robust than the hodge-podge of cybersecurity regulations and best practices that have been promulgated over many years at the federal level.  But following the comment period in the fall of 2016, the latest iteration of the DFS rule offers companies a degree of flexibility not seen in the earlier version of the proposed regulation.

The DFS Rule permits financial services companies to outsource many of the requirements, subject to certain standards and without permitting the companies to abrogate their responsibility for effective cybersecurity.  For instance, Section 500.04 of the rule allows companies to designate an affiliate or third-party provider to serve as the institution’s CISO who need only report to the board of directors on an annual basis.  Under the revised rule companies may also outsource their cybersecurity personnel, and now the required cybersecurity policy need only address areas relevant areas of the institution’s operations based on the mandatory risk assessment.

Even some of the encryption and authentication provisions do not read as check-the-box, hyper-technical requirements.   For instance, Section 500.12 (“Multi-Factor Authentication” or “MFA”) states that companies “shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.”  While MFA is required for those accessing a company’s internal network from an external one, the company’s CISO may approve in writing a “reasonably equivalent” alternative.  The DFS Rule appears to give companies some degree of flexibility in achieving the underlying policy goals.

If senior management is asking whether their institution is too small to fall within the DFS Rule’s ambit, think again.  Companies qualify for limited exemptions under the rule if they have (a) fewer than 10 employees, including independent contractors, (b) less than $5 million in gross annual revenue in each of the last three fiscal years, or (c) less than $10 million in year-end total assets, including assets of all affiliates.[7]  There aren’t many financial services companies in New York that would qualify.  What’s more, even if a company operates only a small portion of its business in New York, it cannot comply with the DFS Rule by changing its practices only within New York.  Cyber and network security necessarily crosses jurisdictional boundaries and banks cannot require MFA or application security in a New York branch without upgrading in New Jersey as well.

Banks, insurance companies, and other financial services firms need to start assessing their existing cybersecurity program and determine what steps they must take to achieve compliance under the new law.  Companies will have 180 days from March 1, 2017 to comply with the DFS Rule, subject to a few exceptions.  For instance, companies will be given one year to comply with penetration testing and vulnerability assessments as well as the MFA requirements,[8] and eighteen months to comply with the audit trail and application security requirements.[9]  Finally, in addition to regularly certifying to the regulator that your company is in compliance, the DFS Rule mandates an incident response plan[10] that includes internal processes for responding to a cybersecurity event, such as a network penetration, and a 72-hour period in which the company must notify the DFS Superintendent of such an event.[11]

DFS has the authority to assess both civil and criminal penalties, so while the costs of compliance with the DFS Rule may be significant, the costs of non-compliance could be catastrophic.

Please contact us with any questions or for guidance on how to bring your company into compliance with the DFS Rule in a timely manner.

Footnotes:

[1] 23 NYCRR § 500.03.
[2] 23 NYCRR § 500.04.
[3] 23 NYCRR § 500.05.
[4] 23 NYCRR § 500.06.
[5] 23 NYCRR § 500.14.
[6] 23 NYCRR § 500.07.
[7] 23 NYCRR § 500.19.
[8] 23 NYCRR § 500.22(b)(1).
[9] 23 NYCRR § 500.22(b)(2).
[10] 23 NYCRR § 500.16.
[11] 23 NYCRR § 500.17.

The information contained in this article is provided for informational purposes only and is not and should not be construed as legal advice on any subject matter. The firm provides legal advice and other services only to persons or entities with which it has established an attorney-client relationship.