News (All)

The Technology Sector featuring Dr. James Hayward of Applied DNA Sciences and Marty Schmitt and Kevin Edwards of Flexible Systems

Posted: May 29th, 2018

With its vibrant startup community and universities, Long Island is home to incredible technological innovation, and this episode spotlighted some of its gems. Dr. James Hayward, President & CEO of Applied DNA Sciences, demonstrated that he is the rare scientist who understands business and how to commercialize inventions. With Applied DNA, he’s cleaning up and securing the supply chain, protecting both brands and consumers. You won’t want to miss his inspiring story of rising from helping out at his parents’ deli in Queens as a kid to leading a groundbreaking public company today. Marty Schmitt and Kevin Edwards of Flexible Systems then addressed the darker side of technology with their focus on keeping the business community safe from cyber criminals.

CMM Spotlight: iOptimize Realty® and REoptimizer®

Posted: May 22nd, 2018

We’re all familiar with the adage “If you do what you love, you’ll never work a day in your life.” Don Catalano, President and CEO of iOptimize Realty®, has really taken this message to heart: he’s seamlessly combined his passion for real estate, photography, and piloting airplanes into a rewarding career at the helm of one of Long Island’s most innovative companies.

A longtime client and friend of Campolo, Middleton & McCormick, Catalano recently invited Managing Partner Joe Campolo to the Commack headquarters of iOptimize Realty® for lunch and a demo of Catalano’s REoptimizer® software, a real estate optimization tool and commercial lease management software. Over sandwiches from the Sexy Salad, these business leaders and military veterans discussed what sets iOptimize apart and how their military service has shaped their leadership style.

Many companies offer commercial real estate services, but iOptimize is unique in exclusively representing corporate tenants. The concept was born when Catalano saw a gap in the market: corporate tenants, needing to renegotiate leases or look for new space only every five years or so, often assign the task to their CFOs. But these time-pressured CFOs, no matter how brilliant they may be, simply lack the experience to compete with real estate brokers who live and breathe the market year-round. To level the playing field, Catalano created iOptimize to serve as the corporate tenant’s expert and shoulder the due diligence burdens of finding and negotiating for space. Most brokers work for landlords, Catalano explains, making his approach incredibly different.

To start the process, Catalano spends time getting to know his clients, learning not just where they’re interested in leasing but what else they value – do they want buildings with amenities? Do they need hotels and restaurants nearby? iOptimize then serves as a fact-finder, presenting clients with dozens more options than traditional brokers who might be bound by exclusivity arrangements with landlords. This approach encourages landlords to compete for the tenant’s business, often saving the tenant up to 30 percent. But landlords benefit, too: iOptimize represents only creditworthy tenants, so landlords breathe easier when they see iOptimize at the table.

As a young man, Catalano joined the military seeking a challenge. He ultimately served in the U.S. Army Special Forces, undergoing high-altitude low-opening (HALO) parachuting training and scuba training. Catalano was elite within the elite, completing arduous training few could finish. Catalano says that the experience taught him that “you can have fear but you have to push through it and overcome it” – a lesson he now applies to business.

Perhaps it’s this extraordinary background that pushed Catalano to make iOptimize even more innovative and serve clients even better by translating his love of flying and photography into an additional client benefit. An accomplished pilot, Catalano flies his plane over potential sites and takes stunning aerial shots, offering clients a bird’s-eye view of potential properties. These photos give clients the invaluable opportunity to see everything they can’t readily see from the ground, such as structural systems, the condition of a roof, and environmental issues. Catalano’s photos of buildings representing some of the largest deals on Long Island line the walls of his office including Allstate, DealerTrack, and Sbarro. (iOptimize works all over the country, and Catalano is arguably the most licensed real estate professional in the industry.)

In his quest to deliver perfection in the client experience – another lesson he attributes to his military service – Catalano has also worked with his team to develop REoptimizer®, proprietary software to aid in the fact-finding process. The web-based program is a global system in multiple currencies designed for corporate users, allowing side-by-side comparisons in the market. Explaining that real estate is often underfunded and understaffed in the corporate setting, Catalano says that REoptimizer® was designed not only to save clients money but also to help them better utilize space, renegotiate leases, and find the ideal space based on their unique preferences. The program also helps clients manage existing leases by keeping track of deadlines and documents in one place, saving significant administrative burden. By putting the client in control of the process, REoptimizer® is a natural extension of the iOptimize way of servicing clients.

Learn more about this forward-thinking Long Island company at http://www.ioptimizerealty.com/ and check out REoptimizer® at http://www.reoptimizer.com/. You can also view a clip from Joe Campolo’s recent CMM Live interview with Don Catalano at https://www.youtube.com/watch?v=Kdor7LeGLPs.

 

 

CMM client and friend Don Catalano, President and CEO of iOptimize Realty®, recently welcomed CMM Managing Partner Joe Campolo to his beautifully designed headquarters on Vanderbilt Motor Parkway in Commack. Next photo: Catalano served in the U.S. Army Special Forces, undergoing high-altitude military parachuting (HALO) training as well as scuba training. Photos and keepsakes from his service line the shelves of his office.

 

A shelf of trophies, awards, and memorabilia in Catalano’s office. Next photo: Model airplanes on display. Catalano is an accomplished pilot who puts his flight skills to work for his clients, taking aerial shots of prospective properties to explore the location from all angles.

 

Catalano in his office. Next photo: These military veterans credit their service with shaping them into Long Island business leaders.

 

Catalano and colleagues welcomed Campolo to the office. Rich Boccard and Jason Brucella are responsible for iOptimize’s active social media presence as well as working with REoptimizer®, a real estate optimization tool and commercial lease management software that takes the pain out of real estate while saving customers money and time. Next photo: Catalano shows Campolo incredible aerial shots lining the walls of his office. Catalano combines his love of real estate, flight, and photography to give corporate clients a bird’s-eye view of commercial properties.

 

Aerial photograph of the headquarters of iOptimize Realty® in Commack. Next photo: iOptimize deal: Sbarro, Melville

 

iOptimize deals: Allstate in Garden City and Lake Success.

  

iOptimize deals: Dealertrack in Lake Success.

  

iOptimize deal: Festo in Mason, Ohio. Next photo: A view inside the sleek headquarters of iOptimize Realty®.

 

 

 

 

CMM Settles Prevailing Wage Law Violation for Construction Client, Avoiding Debarment and Keeping Client in Business

Posted: May 17th, 2018

Don Rassiger, Chair of CMM’s Construction practice group, recently settled a prevailing wage law violation between our client, a contractor, and the New York State Department of Labor. Our client faced financial penalties for allegedly underpaying wages, personal liability for purportedly signing fraudulent documents, and possible debarment from public works projects, which would have effectively shut down the client’s business. Don’s advocacy through a series of conferences and negotiations ultimately saved the client 20% on the fines and – most critically – avoided debarment, keeping the client’s doors open for business.

Our construction clients include owners, developers, general contractors, subcontractors, architects, engineers, construction managers, and more, all of whom turn to us for guidance and representation on the critical issues impacting their business. Learn more about our work with the construction industry here and contact Don Rassiger at drassiger@cmmllp.com or (631) 738-9100.

Intra-Firm Attorney-Client Privilege: Protection of Communications with In-House Counsel

Posted: May 16th, 2018

Published In: The Suffolk Lawyer

By Patrick McCormick

Attorney-client privilege is a bit of a misnomer. The name itself fails to convey the full breadth of communications protected (or not protected) by the privilege, one of the oldest common-law evidentiary privileges. The privilege applies to communications made “for the purpose of facilitating the rendition of legal advice or services, in the course of a professional relationship.” See, e.g., Spectrum Sys. Intl. Corp. v. Chemical Bank, 78 N.Y.2d 371, 377-378 (1991), quoting Rossi v. Blue Cross & Blue Shield of Greater N.Y., 73 N.Y.2d 588, 593 (1989). Indeed, not every communication is privileged – and determining whether the privilege applies is not always clear cut. For example, if a law firm has designated a particular attorney as their in-house counsel, and another attorney in the firm has an ethical question as it relates to a client, are communications between the two attorneys on the subject protected by the privilege?

In July 2016, the First Department, in Stock v. Schnader Harrison Segal & Lewis LLP, 142 A.D.3d 210 (1st Dep’t 2016), became the first appellate court (and so far the only) in New York State to recognize intra-firm privilege applying to certain communications between an attorney and his or her firm’s in-house counsel. In Stock, the Defendant law firm previously represented the Plaintiff in the negotiation of a separation agreement from Plaintiff’s former employer. Unbeknownst to Plaintiff, his vested stock options, allegedly worth more than $5 million, expired as a result of the negotiation. Plaintiff subsequently commenced a federal lawsuit and an arbitration proceeding against his former employer to recover the value of the lost options. Again, Plaintiff hired the Defendant firm to represent him in the federal litigation and arbitration. However, the Plaintiff’s former employer took the position that Plaintiff’s woes were caused by the Defendant firm’s representation in negotiating the separation agreement. To prove this, the former employer sought to call a Defendant firm lawyer as a fact witness at the arbitration. This progression prompted the Defendant firm to seek legal advice from its in-house counsel regarding ethical obligations under the lawyer-as-witness rule.

After the arbitration was decided in favor of the former employer, Plaintiff sued the Defendant firm for malpractice, claiming that it failed to advise him that his separation would significantly accelerate the expiration date of his stock options. During discovery, Plaintiff sought 24 documents concerning communications Defendant firm’s attorneys had with other lawyers at the firm, most notably including the firm’s in-house counsel. The firm withheld the documents, arguing they were protected from disclosure under attorney-client privilege. However, the trial court disagreed, holding that the documents were discoverable under the “fiduciary exception” to the attorney-client privilege. According to the trial court, the firm, as Plaintiff’s legal representative, was a fiduciary with special obligations to Plaintiff, and thus Plaintiff “ha[d] a right to disclosure from his fiduciaries of communications that directly correlate to his claims of self-dealing and conflict of interest.” Stock v. Schnader Harrison Segal & Lewis LLP, No. 651250/2013, 2014 WL 6879923 at *2 (Sup. Ct. N.Y. Co. Dec. 8, 2014).

On appeal, the First Department unanimously reversed, holding that the fiduciary exception did not apply and that the communications at issue were privileged. Key to the Court’s analysis was determining the “real client” – whether the communications seeking legal advice were sought to protect the individual interests of the attorneys or to guide the attorneys in rendering service to their clients. The Court reasoned that “the purpose of the consultation . . . was to ensure that the attorneys and the firm understood and adhered to their ethical obligations as legal professionals.” Stock, 35 N.Y.S.3d at 223. Despite the primary function of the attorney-client privilege being to facilitate candid discussion between attorneys and their clients, the Court reassured the legal profession that “[t]he protection afforded by the attorney-client privilege encourages lawyers to seek advice concerning their ethical responsibilities and potential liabilities in a timely manner so as to minimize any damage to the client from any conflict or error.” Accordingly, the Court found that “the attorneys and the firm, not plaintiff, were the ‘real clients’” during the consultation. Id. Thus the communications were privileged.

In a similar context involving in-house corporate counsel, it is important to remember that the “real client” is the corporation itself, not its directors, officers, or shareholders, and challenges arise when determining whether communications between a corporation’s in-house counsel and employees regarding both business and legal advice are privileged. The seminal New York Court of Appeals case Rossi v. Blue Cross and Blue Shield of Greater N.Y., 73 N.Y.2d 588, is instructive on this issue. In Rossi, the issue presented to the Court was whether an internal memorandum from a corporate staff attorney to a corporate officer was protected by attorney-client privilege. The contents of the memorandum referenced communications concerning both legal advice and nonlegal business communications. The mixed legal-business nature of the memorandum provided the Court an opportunity to opine on the contours of the attorney-client privilege in context of intra-firm communications. The Court noted that communications with in-house counsel often “blur the line between legal and non-legal communications.” Id. at 593. The Court acknowledged that no bright-line rule exists to distinguish protected legal communications from unprotected business or personal communications. Most importantly, the Court specified that a fact intensive inquiry is necessary to determine whether the nature of the communication is predominantly of a legal character. Applying that rule, the Court held that the content and context of the memorandum was to facilitate legal advice and privilege was not compromised merely because it also referred to certain nonlegal matter.

The attorney-client privilege has developed into a robust doctrine. Do not be fooled into thinking about it in a one-dimensional way. It protects intra-firm communications by attorneys seeking ethical advice, as well as corporate communications that are predominantly legal in character. Of course, not all intra-firm communications are privileged, but that is a small trade-off for the vast protection attorney-client privilege affords.

Patrick McCormick is a partner and the chair of the appellate practice group at Campolo, Middleton & McCormick, LLP, a premier law firm with offices in Ronkonkoma and Bridgehampton. He also serves as General Counsel to the firm and is the Dean of the Suffolk Academy of Law. Richard A. DeMaio is an associate at CMM, where he focuses on litigation, appeals, and the intersection of law and technology. They can be reached at pmccormick@cmmllp.com and rdemaio@cmmllp.com.

Deficient Tortious Interference Claim Leads to Dismissal of Complaint

Posted: May 16th, 2018

Published In: The Suffolk Lawyer

One of the more common “business tort” causes of action we see in the world of commercial litigation is a claim for tortious interference with a contract. Often a competing company, knowing that its competitor has a contract with a certain customer or employees, will intentionally and improperly interfere with that contract by causing the customer or employee to breach the contract, thus resulting in harm to the competing business.  This interference usually consists of improperly soliciting the customer or employee away from the competing business, making disparaging and/or defamatory comments about the competing business, or even fraudulently deceiving the customer or employee to induce a breach of the contract with the competing business.

When alleging a tortious interference claim, it is critical to include sufficient allegations in the Complaint that support the necessary elements of the claim itself. It is not enough to merely recite the elements without any specific factual allegations detailing the improper conduct of the company/individuals who allegedly committed the tortious interference.  A recent decision from Justice Garguilo in the Suffolk County Commercial Division provides a perfect example of a deficient tortious interference claim resulting in dismissal of the Complaint.

In Airweld, Inc. v. Airgas U.S.A., LLC d/b/a/ Airgas, Inc., Plaintiff Airweld, Inc. alleged that Defendant Airgas U.S.A., LLC tortiously interfered with contracts Airweld had with two of its customers. The Complaint alleges that Airgas “attempted to solicit” the two customers by providing the same products that Airweld was providing to these customers under the separate contracts Airweld had with the customers. Even after Airweld sent cease and desist letters concerning the two customers and the existence of the contracts for each customer, Airgas continued to solicit business from them, and Airweld stopped doing business with each customer due to the interference by Airgas.

The Court noted that to succeed on a claim for tortious interference with contractual relations, “a plaintiff must show the existence of a valid contract between the plaintiff and a third-party, and the defendant’s knowledge of such contract, the defendant’s intentional and improper procurement of the breach of such contract by the third-party, and damages.” See White Plains Coat & Apron Co., Inc. v. Cintas Corp., 8 N.Y.3d 422 (2007).

The Court acknowledged that Airweld had sufficiently alleged the existence of a contract and Airgas’s knowledge of the contacts at issue. However, the Court dismissed the tortious interference claim, finding that the Complaint failed to provide any specifics as to the improper conduct Airgas engaged in to solicit the customers. Mere solicitation by itself is not sufficient to satisfy a tortious interference claim. Id. Furthermore, the Court held that it was unclear and unknown based on the allegations in the Complaint whether the two customers at issue actually breached their contracts with Airweld as a result of any actions by Airgas.  Given the very vague, conclusory allegations set forth in the Complaint, the Court dismissed the action.

As an aside and perhaps as a word of advice at the end of the decision, the Court noted that it was curious why Airweld did not simply pursue breach of contract actions against the two customers who were allegedly in violation of the terms of their contracts with Airweld. This certainly could have been an easier path to recovery, as the Court noted.

A key takeaway from Justice Garguilo’s decision in Airweld is the importance of taking the time before filing the Complaint to make sure you have the necessary facts to withstand a motion to dismiss. Although a Court is required to take allegations in a Complaint as true on a motion to dismiss, it is not enough merely to recite basic elements of a claim. Without at least some specifics, the action will be short-lived.

Long Island’s Nonprofit Sector featuring John Miller of Guide Dog Foundation and America’s VetDogs and Ken Cerini of Cerini & Associates

Posted: May 15th, 2018

Collaboration was the word of the day on this CMM Live episode focusing on Long Island’s vibrant nonprofit sector. John Miller, President and CEO of the Guide Dog Foundation and America’s VetDogs, inspired viewers with personal stories of the countless lives these organizations change every year. Fresh off the 2018 Imagine Awards, Ken Cerini, nonprofit accounting guru and head of Cerini & Associates, discussed how he works with the nonprofit sector to maximize their impact. Both guests noted that collaboration among organizations is key.

CMM Spotlight: Suffolk County Community College Partners with HIA-LI

Posted: May 11th, 2018

It’s easy for the business community and academia to give lip service to concepts of job creation and cultivating student opportunity. But leaders from Suffolk County Community College and HIA-LI are backing up their talk with concrete action and a roadmap of plans to make it happen.

Joe Campolo, HIA-LI Board Chairman and Campolo, Middleton & McCormick Managing Partner, recently met with a team of SCCC administrators and leaders to discuss building their partnership. It’s a natural collaboration: with Long Island’s workers aging out, the business community – particularly industrial and manufacturing businesses in the Hauppauge Industrial Park (HIP) – needs the next generation of workers. Students coming out of institutions of higher learning, such as SCCC, need jobs. “Academia and the business community need each other, but are often lacking in each other,” Campolo said. “If we are really going to make Long Island better and do more for students, we need to focus on jobs.”

Looking to “fertilize” student opportunities, SCCC administrators, including Dr. John K. Galiotos, Dr. Fara Afshar, and John Lombardo, are successfully establishing the school as a top choice for the HIP’s workforce pipeline, particularly in technology and manufacturing. They are actively working to increase awareness of the HIP among students and build engagement with academic staff by fostering relationships with the business community. Speaking of HIA-LI/SCCC collaboration as a “need-to-have, not a nice-to-have,” the leaders at the meeting got to work creating a list of opportunities on which the organizations can work together, from mentoring programs to job fairs to community solar initiatives.

Long Island is home to many prestigious colleges and universities, but SCCC fills a unique niche: while many students there go on to four-year colleges and beyond, others attend SCCC for its hands-on technical programs such as AAS two-year degree programs and other non-degree training programs. In a society that often views a bachelor’s or master’s degree as an obligatory stepping stone to success, these talented students are often overlooked as a critical part of the labor force. HIA-LI and SCCC are committed to partnering these students with the Long Island businesses that need them – and in turn, ensuring Long Island’s future economic growth.

Following the meeting, Campolo toured the Workforce Development Technology Center for an inside look at SCCC’s unrivaled training programs in manufacturing-related disciplines, created in partnership with the industries they serve. Check out these photos of the tour here, then visit these SCCC websites to learn more:

All Degree Programs

Manufacturing AAS Degree Program

Workforce Training

If your business would like to recruit at SCCC or learn more, please contact Dr. Fara Afshar at afsharf@sunysuffolk.edu!

 

  

Joe Campolo recently met with a team of administrators and leaders from Suffolk County Community College to discuss collaboration between the school and HIA-LI. SCCC plays a critical role in educating and training the workforce pipeline for the Hauppauge Industrial Park – the largest industrial park in the nation after Silicon Valley. Next photo: SCCC’s Workforce Development Technology Center, at the Brentwood campus, offers programs designed in partnership with industry to provide hands-on training in several manufacturing-related disciplines including welding, electronic assembly and soldering, and CNC (computer numeric control) machine operation, among others.

  

Campolo toured SCCC’s Workforce Development Technology Center with Ali Laderian, Manufacturing Technology/Engineering Program Coordinator; Fara Afshar, Associate Dean of STEM/CTE; John Galiotos, Senior Associate Vice President of STEM/CTE; and Lisa Calla, Assistant Dean for Workforce Development, Community Partnerships, and STEM/CTE. Next photo: What high school science fair dreams are made of.

 

  

Dr. Galiotos at the training center. Next photo: Program Coordinator Ali Laderian and Communications Director Drew Biondo review SCCC program offerings with Joe Campolo, who is spearheading initiatives to grow the pipeline of talented workers for the future of the Hauppauge Industrial Park.

 

A maze of pipes and steel overlooks the CNC machines. Next photo: The CNC Machine Operator training program is taught in a blended format – a combination of classroom, lab, and online learning. Students receive a certificate of completion and a National Certification as a CNC Mill and Lathe Operator from the National Institute for Metalworking Skills.

  

Long Island businesses in high-demand fields routinely hire students from SCCC’s manufacturing programs for their hands-on experience. Next photo: A Computer Numeric Controller used for student training. SCCC offers manufacturing and industrial training programs designed to develop critical manufacturing skills. This focus makes SCCC students a perfect fit for Long Island businesses seeking employees who can hit the ground running.

  

Here at CMM, we’re not sure what this CMM Machine does, but we want one. Next photo: Ali Laderian gives Joe Campolo an inside look at the CMM Machine.

  

Inside a student workshop. Next photo: View from above: another intricate ceiling at the training center.

Navigating the Complex Web of Data Breach Notification Laws

Posted: May 10th, 2018

Tags: ,

Facebook CEO Mark Zuckerberg testified before Congress in April about how a political consultancy had improperly accessed the personal data of nearly 90 million Facebook users.  The Congressional hearings prompted by Cambridge Analytica’s misappropriation of personal data was not the social media company’s first brush with the federal government regarding the protection of user data.  In 2011, the Federal Trade Commission (“FTC”) accused Facebook of breaking its promise to users that third-party applications had access only to user data required for the application to function.  Facebook entered into a consent decree—an agreement resolving a legal dispute with the government not involving an admission of guilt or liability—that required Facebook to obtain user consent before sharing personal data with third parties.   The FTC is now investigating whether the Cambridge Analytica data breach is a violation of 2011 consent decree, which could carry heavy fines.

Mr. Zuckerberg’s testimony and Facebook’s past and present travails highlight how even one of the largest, richest, and technologically sophisticated companies in the world can run afoul of consumer data privacy laws, and in particular, timely notifying both the government and its users of data breaches.  Facebook is certainly not the first technology company to face criticism over its failure to timely notify of a breach.  In November 2017, Uber disclosed a major data breach that occurred in 2016 during which hackers stole data on 57 million Uber customers.  Uber paid the hackers $100,000 to destroy the data, but did not disclose the breach until a year later.  A week after Uber disclosed the hack, three U.S. Senators introduced the Data Security and Breach Notification Act, which would require companies to report data breaches within 30 days and imprison for up to five years any employee or executive who knowingly conceals a breach.

While the proposed legislation is not likely to become law during the 115th Congress, its introduction signals not only the seriousness of data breach reporting but the fact that there currently is no single, federal law that governs how and when companies must report data breaches.  But that is not to say that there are not laws or regulations governing breach reporting—quite the opposite, in fact.

Currently, 48 states plus the District of Columbia, Guam, Puerto Rico and Virgin Islands have breach notification laws that require notification of a breach to affected individuals.  Twenty-seven states plus Puerto Rico also require notification of a breach to a state attorney general or regulator.  Beyond individual state laws, certain industries, such as healthcare providers and defense contractors, are governed simultaneously by sector-specific federal laws and regulations that direct when and how a company’s customers and regulators must be notified.  Even certain states have passed sector-specific laws governing, among other things, data breach reporting – for example, the New York Department of Financial Services (“DFS”) Cybersecurity Regulation, which requires regulated entities to notify DFS within 72 hours of an incident.  Moreover, the FTC, which enjoys broad jurisdiction under its consumer protection mandate, has promulgated “guidance” against which it may assess the adequacy of a company’s data breach response.  Last, but not least, as of the May 25, 2018 effective date, the EU General Data Protection Regulation (“GDPR”) requires even U.S. companies that collect, process, or retain data regarding European persons to notify those persons of a breach within 72 hours.

With so many overlapping laws and regulations regarding data breach and cybersecurity incident notification, it is no surprise that companies like Facebook and Uber are coming under scrutiny, let alone small and medium-sized enterprises in less technologically-focused sectors.  The laws are not trivial.  Federal regulators and states impose substantial costs and liabilities on companies that impermissibly delay notification.  In January 2017, the U.S. Department of Health and Human Services (“HHS”) entered into a settlement with Presence Health for untimely reporting of a breach of unsecured patient information.  Under HIPAA’s Breach Notification Rule, breaches involving over 500 individuals require the company to report the breach to the individuals, media and HHS without “unreasonable delay” or in any event no later than 60 days.  Presence Health paid nearly half a million dollars in penalties for delaying notification approximately 100 days following the breach.

Setting aside all the other business challenges and liabilities associated with a cybersecurity event, some might ask, how hard is it to timely notify customers of a breach?  Well, it is.  Imagine your system is subject to ransomware attack and your customers’ data is viewed by a hacker.  Your company may be based in New York, but you have customers across 15 states.  You must comply not only with New York’s data breach notification law, but also the laws of those 15 states.  Your company’s ability to respond is based, in part, on knowing the geographic location of all your customers, where all your customers’ data resides on your systems (to determine if the data itself was breached), and the substantive legal nuances of what must be contained in each notification letter.  Let’s say that your company is also a defense industry supplier, so you must also meet a 72-hour reporting deadline to the Department of Defense pursuant to the Defense Federal Acquisition Regulations Supplement (“DFARS”).  Meanwhile, you are simultaneously responding to a hacker, attempting to preserve and back-up data, restore your security posture, and then ensure such an attack never happens again.

Companies across sectors are rightly focused on investments in cybersecurity defense, insurance, internal policies, and employee training; however, they must also have in place an incident response plan that outlines how the company will meet its data breach notification requirements.  Advance planning and cybersecurity “fire drills” designed to simulate and test how a company will respond to a cyberattack go a long way to reducing cost, stress, reputational harm, and legal liability.

The information contained in this article is provided for informational purposes only and is not and should not be construed as legal advice on any subject matter. The firm provides legal advice and other services only to persons or entities with which it has established an attorney-client relationship.

CMM-Flexible Cyber Alert: Spoof Email

Posted: May 10th, 2018

“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Former FBI Director

We’re pleased to introduce a newly created strategic partnership between Campolo, Middleton & McCormick, LLP and Flexible Systems to fully service the business community’s legal and technological needs when it comes to cybersecurity. We seamlessly work together, and with you, to help you recover from an attack and plan for remediation; assess your unique legal risk, obligations, and reporting requirements; reduce your risk of falling victim to a cyber attack in the first place; and give you valuable peace of mind.

Learn more about how we work together to handle critical cybersecurity matters in this real-life case study.

Method of attack: Spoof email

How they did it: A client fell victim to a phishing attack by unknowingly downloading malicious software from a spoof email. The software allowed the attacker to penetrate the client’s system and access all incoming and outgoing emails. Eventually, the hacker came across emails calling for a wire transfer of significant funds to be made in connection with an upcoming transaction. The hacker then sent an email – which appeared to come from one of the client’s senior executives – to the company that was supposed to wire the funds to our client. The email contained fraudulent wire transfer instructions in an effort to trick the company into wiring the funds to the hacker’s account rather than our client’s account.

The damage: Fortunately, the company who had received the fraudulent wire instructions sensed something was off and contacted our client before wiring the funds. While the loss of significant funds was averted, the client’s sensitive corporate materials had still been in the hands of the hacker for months.

The response: The client called CMM immediately upon discovering the attack. As a strategic partner, CMM contacted Flexible right away and entered into agreement whereby the parties would work in concert in response to the attack, with CMM directing Flexible with regard to the legal issues involved. (Such an arrangement can help preserve attorney-client privilege should the attack ever become the subject of future litigation.)

Flexible deployed a response team the very same day to ensure the client’s systems were locked down, mitigate against further data breaches, and analyze the attack vector to create a timeline and investigation report detailing exactly what happened, how, and when.

This investigative information was crucial for CMM to then analyze and advise the client on what, if any, legal reporting obligations exist.  CMM determined that the client would need to inform its primary regulator of the breach and worked with the client to meet their legal obligations without causing undue alarm.

The takeaway: Many business owners and executives believe they are “too smart” to be fooled by spoof emails and other ploys that hackers use to gain control of your data. Others believe that data breaches affect only major public companies with millions of customers, or small mom-and-pop businesses with owners too naive to properly safeguard their data. But in this case, the victim of the cyberattack was a sophisticated, mid-size technology company led by some of the most brilliant minds in the industry – demonstrating that no one is immune to a cyberattack and that businesses must remain vigilant and proactive.

After the dust settled in this case, CMM and Flexible continued to work with the client to conduct a more thorough risk assessment and strengthen their cyber defenses from both a technical and policy standpoint.

Contact us today to see how we can help you.