New York is First State in the Nation to Propose Cybersecurity Regulations Impacting Banks, Insurance Companies and Mortgage LendersNovember 2016
The New York State Department of Financial Services has proposed regulations that would impose new cybersecurity requirements on banks, insurance companies, mortgage lenders and others. The proposed regulations, issued pursuant to the Financial Services Law, would apply to entities that require a license or authorization under New York State banking, insurance or financial services laws to operate. New York is the first state in the nation to propose such cybersecurity regulations, which are designed to thwart nation-states, terrorist organizations and independent criminal actors from exploiting technological vulnerabilities to gain access to sensitive electronic data. The proposed regulations would create minimum cybersecurity standards to protect customer information and information technology systems.
These proposed regulations address the following key areas:
Establishment of a cybersecurity program
Implementation of a written cybersecurity policy
Designation of a Chief Information Security Officer
Implementation of a written third party vendor information security policy
Notification requirements to the Superintendent of Financial Services
Each entity that is covered by these regulations would be required to establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of its information systems. The core functions that the program must perform include identifying nonpublic information stored on information systems, using defensive infrastructure to protect this information, detecting any threats to information systems and recovering and restoring operations after such a threat is detected.
The written cybersecurity policy must address protection of information systems and the nonpublic information stored therein. The proposed regulation includes over a dozen areas, such as systems and network security, access controls, risk assessment, and customer data privacy, which, at a minimum, must be included in the policy. In addition, this policy would be required to be reviewed by the company’s board of directors and approved by a senior officer.
Chief Information Security Officer
The proposed regulations would also require the designation of a Chief Information Security Officer, who will oversee and implement the cybersecurity program and enforce the cybersecurity policy. In addition, entities covered by this regulation would be required to employ cybersecurity personnel sufficient to manage cybersecurity risks and to perform core cybersecurity functions.
Third Party Vendor Information Security Policy
The third party vendor information security policy would be required to ensure the security of information systems and nonpublic information that are accessible to or maintained by third party vendors. These policies would be required to address certain key areas, including risk assessments of vendors and due diligence processes used to evaluate vendors, as well as establishing preferred provisions, such as use of encryption, right to audit vendors, and vendors’ use of authentication to access information, to be included in vendor contracts.
The proposed regulations would require each entity that is covered to notify the Department of Financial Services within 72 hours of becoming aware of a cybersecurity threat that has a reasonable likelihood of materially affecting operations or that affects nonpublic information. In addition, starting January 15, 2018, the regulations would require the board of directors or a senior officer to submit an annual compliance certification (the regulations provide a template of the certification to be used).
The proposed regulations do contain a limited exception for smaller companies, but would still require these smaller companies to comply with certain requirements. The proposed regulations were subject to public comment until November 14, 2016. If they are finalized in their current form, they would go into effect January 1, 2017. Those affected by the regulations would have until June 30, 2017 to come into compliance. The proposed regulations do not specify penalties for non-compliance. If adopted, it is possible that courts would look to the regulations to define the proper standard of care in this developing legal area.
For more information about the proposed regulations or advice regarding compliance, please contact Zachary Cohen or any of the co-chairs of Bleakley Platt’s Information Technology and Cybersecurity Practice Group: Thomas G. Bailey, Robert Braumuller or Richard F. Markert.
U.S. Supreme Court Provides Patentees an Easier Path to Increased Patent DamagesJuly 2016
In its recent decision in Halo Electronics, Inc. v. Pulse Electronics, Inc., 579 U.S. ___ (June 13, 2016), the United States Supreme Court made it easier for a prevailing patentee to recover additional damages in a patent infringement action. After Halo, a patentee need only show that the infringer acted in bad faith to request an award up to three times his actual damages. Under prior law, proof of willful infringement alone was not sufficient; the willful infringer offering a reasonable argument of patent invalidity or non-infringement, albeit one developed during litigation, could avoid liability for anything beyond the patentee’s actual compensatory damages.
- The Supreme Court replaced the Federal Circuit’s stringent two part test for recovery of increased damages with a more relaxed standard focusing on the bad faith of the infringer.
- The Supreme Court also lowered the patentee’s burden of proof and made the trial court’s damage award more difficult to overturn on appeal.
- If the patentee proves an infringer’s conduct was egregious, the trial court can increase the patentee’s damages. The court can award up to three times the patentee’s actual damages (lost profits or a reasonable royalty).
- An “egregious” infringer is one that acted willfully and in bad faith.
- The patentee need only prove the infringer’s subjective bad faith by the lower preponderance of the evidence standard.
- Objective arguments about patent invalidity and non-infringement will no longer allow the willful infringer to block an award of additional damages
- The trial court has broad discretion as to when to increase the damage award, and the amount to award, against the egregious infringer.
- The trial court’s decision on damages will only be reversed on appeal if the court abused its discretion, making it more difficult to vacate the award than under the prior standard of review.
The Law of Willful Infringement
The damage statute before the Court simply states that the court “may increase damages up to three times the amount found or assessed.” 35 U.S.C. § 284. Courts have long limited such “treble damages” awards to cases of willful infringement. However, exactly what is required to demonstrate willful infringement has varied over the years. At one point to avoid a willfulness finding, an infringer with notice of the patent needed counsel’s opinion of patent invalidity or non-infringement before beginning infringing activity. Congress definitively eliminated the need for an opinion of counsel in the recent patent reform statute, the America Invents Act,P.L.112-29. See 35 U.S.C. § 298.
The Heavy Burden Needed to Recover Additional Damages Under Prior Case Law
Several years ago, the special patent appeals court, the Federal Circuit, adopted a rule in In re Seagate Technology, LLC, 497 F.3d 1360 (Fed. Cir. 2007), requiring the patentee to establish that the infringer’s conduct was both objectively and subjectively reckless to recover additional damages. The infringer would not be found “objectively reckless” if he presented a reasonable argument of patent invalidity or non-infringement, even though the infringer was unaware of that argument before the litigation. Evidence of the infringer’s state of mind was excluded unless the patentee met its burden on the objective prong. Moreover, until the patentee proved both the infringer’s objective and subjective recklessness by clear and convincing evidence, the Court could not consider increasing the damage award.
The Supreme Court Finds That Attorney Ingenuity Should Not Relieve The Willful Infringer
In a unanimous opinion, the Supreme Court in Halo rejected the stringent Seagate rule as contrary to the broad language of the damage statute. Instead, the Supreme Court left to the trial court’s discretion when to increase damages, as well as the amount to award. The infringer’s subjective bad faith alone may be the basis for additional damages, and objective arguments about patent validity and infringement will not protect the willful infringer. Although there is no rule or formula, the Court held such damages are reserved for “egregious cases of willful infringement,” conduct that is “willful, wanton, malicious, bad-faith, deliberate, consciously wrongful, flagrant, or – indeed - characteristic of a pirate.” As the Court explained, “someone who plunders a patent” should not “escape… any comeuppance under Section 284 solely on the strength of his attorney’s ingenuity.” The trial court’s determination will only be reversed for abuse of discretion.
The Concurring Justices’ Concern
The concurring Justices expressed concern that the looser standard would give some companies more leverage to extort money from innocent businesses. The Justices stressed that additional damages should only be awarded in cases of egregious misconduct.
Future Litigation Will Focus on the Infringer’s State of Mind
As the concurrence noted, patentees now have greater leverage against the deliberate infringer acting in bad faith. Applying the prior standard, a defendant could knock out an enhanced damages claim by an early motion showing a “substantial” question about the patent’s invalidity or the defendant’s non-infringement. After Halo, the focus is instead on the infringer’s state of mind, raising factual issues that generally cannot be determined until trial. This puts more pressure on a defendant to settle.
The opinion gives litigants and courts little guidance beyond that there must “generally” be “egregious misconduct”; future case law will have to develop the factors warranting a particular award. The Halo decision makes clear, however, that a bad faith infringer may not “escape” increased damages because his litigation counsel devised a reasonable argument of patent invalidity or non-infringement during litigation.
 The patentee needed to prove that “the infringer acted despite an objectively high likelihood that its actions constituted infringement of a valid patent” and the objectively defined risk “was either known or so obvious that it should have been known to the accused infringer.” 497 F.3d at 1371.
The Subrogation Rights of Medicare Advantage Organizations Should be Considered When Settling a Personal Injury ActionJuly 2015
A recent case decided by a U.S. District Court in Florida provides an important reminder that Medicare Advantage Organizations may employ Medicare Secondary Payment reimbursement remedies and that the settlement of a personal injury action without considering such an organization’s lien is done at one’s peril. See Humana Medical Plan, Inc. v. Western Heritage Insurance Company, 2015 U.S. Dist. 31875 (S.D. FLA 2015).
“Medicare Advantage Organizations” are private insurance companies that contract with the Center for Medicare and Medicaid Services to provide Medicare benefits and may also provide additional benefits to its enrollees.
The Medicare Secondary Payer Act (“MSP Act”) provides that Medicare is to serve as the “secondary payer” to other sources of insurance coverage including group health plans, workers compensation plans, automobile or liability insurance plans. 42 U.S.C.§1395 y(b)(2)(A). The MSP Act authorizes Medicare to make conditional payments for a patient’s medical treatment and requires a primary plan to reimburse Medicare for all conditional payments (42 U.S.C. §1395 y(b)(2)(B)).
The MSP Act further provides that, in the event the primary plan fails to reimburse such conditional Medicare payments, the United States is authorized to bring an action against the primary plan for double the amount due.
In Humana, a plaintiff in a personal injury action had enrolled in a Humana Medicare Advantage Plan and settled her claim against the condominium complex where she had slipped and fallen, for $115,000. While Medicare had not made any “conditional payments” on plaintiff’s behalf, the Humana Medicare Advantage Plan had paid approximately $19,000 for the plaintiff’s medical treatment. When the insurance carrier for the defendant condominium learned of Humana’s lien rights it attempted to include Humana on the settlement check but the state court directed that the full $115,000 settlement should be paid to the plaintiff.
Thereafter, Humana pursued the defendant’s insurance carrier, Western Heritage Insurance Company in the U.S. District Court to recover the funds that it paid on the injured party’s behalf.
Humana alleged that it had the same rights as Medicare and that its payments were conditioned upon reimbursement and, thereafter, subject to MSP Act’s statutory private cause of action and entitled to recover double damages.
Relying on the Third Circuit Court of Appeals decision In Re Avandia, 685 F.3d 353 (3rd Cir. 2012), the District Court determined that a Medicare Advantage Organization such as Humana is entitled to assert MSP Act’s private cause of action to pursue recovery of payments made for medical expenses and it was statutorily entitled to recover double the amount it had paid on behalf of the injured party.
New York practitioners should note that the Appellate Division, Second Department, in Trezza v. Trezza, 104 A.D.3d 37, 957 N.Y.S.2d 380 (2d Dept. 2012), has held that New York’s General Obligation Law §5-335, (which protects a plaintiff who settles an action for personal injuries from being subject to a reimbursement claim) as applied to Medicare Advantage Organizations, is preempted by federal law. The Trezza holding thus exposes insurance carriers for settling defendants in New York personal injury actions to the same risk as the defendant’s insurance carrier in Humana.
For more information about this Client Advisory, please contact: Vincent W. Crowe, a member of the Insurance and Litigation Practice Groups.
Can a Shareholder Withhold a Portion of the Maintenance Fee When an Amenity is Not Available?July 2015
First, the shareholder should carefully review the terms of his proprietary lease, which will generally establish the conditions under which a shareholder may withhold payment from the cooperative. Most proprietary leases contain language providing that “the Lessee (shareholder) will pay maintenance to the Lessor” (cooperative) upon the terms established by the cooperative “without any deduction on account of any set-off or claim which the Lessee may have against the Lessor.” Language similar to the foregoing will enable the cooperative to threaten dire consequences, such as declaring the shareholder in default, if the shareholder resorts to self-help by withholding or escrowing a portion of the maintenance. A threat of default may subject the shareholder to late fees, interest, legal fees and possibly revocation of his proprietary lease if he does not promptly “cure the default” by paying all of the money withheld. The shareholder should further be advised that, assuming the apartment is subject to financing, a default under the proprietary lease would also constitute a default under their financial agreement with the lender. So a shareholder should pursue all other options before withholding a portion of the monthly maintenance.
Second, except as provided below, it appears that depositing the maintenance in a rent escrow may not be an option for the shareholder. Real Property Actions and Proceedings Law Section 770, which applies in New York City, Westchester, Rockland, Nassau and Suffolk counties, allows a tenant to deposit money into a “rent escrow” account where there is a “loss of essential services.” However, a loss of essential services is defined as loss of “heat, water, light, electricity or adequate sewage disposal facilities, or an infestation of rodents.” The loss of a swimming pool, which would be appropriately characterized as an amenity, would not qualify as a loss of essential services.
Third, the shareholder should carefully review the cooperative by-laws, which may allow the shareholders to remove directors with or without cause. The threshold to remove directors “without cause” is more difficult. However, the failure to close out old permits resulting in expensive upgrades which would have been unnecessary if the permits had been timely closed out and a season-long pool shut down could arguably be wasting corporate assets and grounds for removal for cause. Should the shareholder wish to proceed in this fashion, the procedures for calling a special meeting of shareholders to remove the directors “for cause” will be spelled out in the by-laws. Generally, cooperative by-laws will require a petition demanding a special meeting of shareholders, signed by 25% of the outstanding shares in the cooperative and specifying the reason for the meeting (to remove directors for cause) and the grounds for removal, be presented to the Secretary of the cooperative. If the requirements are met, the Secretary must call the special meeting of shareholders. If the requirements are not met, the Secretary may deny the petition. Those shareholders who called the meeting have the burden of convincing the shareholders that the directors violated their fiduciary duty to the shareholders and must be removed from office.
Fourth, shareholders could bring a lawsuit against the directors, in their official capacity and individually, for breach of fiduciary duty, corporate waste and whatever other claims the shareholders have against the directors. This will require substantial investment in an attorney familiar with corporate matters and litigation to prosecute the lawsuit. Such lawsuits are expensive to bring and are time consuming so there may not be any immediate benefit for those who invest their money into the lawsuit. The lawsuit may encourage the Board to get the repairs completed promptly so they can request that the lawsuit be dismissed or settled in some way.
Last, the shareholder could, either in a stand-alone lawsuit or part of another lawsuit, commence a shareholder derivative action in the name of the corporation and against the directors alleging corporate waste and breach of fiduciary duty. New York’s Business Corporation Law requires at least 5% of the corporation’s outstanding and issued shares be plaintiffs in order to commence and maintain the action. As part of the derivative action the shareholders could seek a court order allowing them to withhold a portion of their maintenance until the lawsuit is dismissed or otherwise resolved. Armed with such a court order, the shareholder could push the Board to settle the case and get the pool repaired and open.
A final word about lawsuits. The shareholder should know that by suing the cooperative he is suing himself and his neighbors. The Board may attempt to vilify the shareholders for forcing the cooperative to spend money defending itself, money which could go into repairing the pool. A particularly vindictive Board might impose a “litigation assessment” so everyone knows a few shareholders are costing everyone money. If the shareholders wish to proceed with a lawsuit, they should be prepared for both pushback from neighbors and vilification from the Board.
For more information about this Client Advisory and related issues, please contact: James Glatthaar, a member of the Litigation, Construction and Real Estate Practice Groups.
Federal Government Expected to Increase Immigration Compliance Audits and Fines in 2015April 2015
All employers should be aware that the federal government is likely to devote increased resources to auditing employer compliance with immigrant employment laws in 2015. Those laws apply to large and small employers alike, and can often result in substantial fines for the unwary. All companies should take steps to familiarize themselves with these requirements and consider an independent audit to ensure that they aren’t taken by surprise, at potentially significant cost to the company, when federal auditors come calling.
The U.S. Immigration and Customs Enforcement (ICE), which is a part of the Department of Homeland Security (DHS), is authorized to conduct audits of an employer’s I-9 Employment Verification Forms (I-9 Forms) to ensure that the employer is complying with U.S. immigration laws in its hiring and employment verification practices. During its inspection of I-9 Forms, the ICE Auditor will review the Forms for suspect documents, and document discrepancies, untimely employment verifications, and technical paperwork violations. Based on the findings of the investigation, one or more of the following Notices will be issued: Notice of Inspection Results (the “Compliance Letter”); Notice of Suspect Documents; Notice of Discrepancies; Notice of Technical or Procedural Failures; a Warning Notice; and/or a Notice of Intent to Fine.
The recommended fines that can be imposed by ICE on an employer can be substantial. Those fines are determined under a range of fines for first, second and third offenses, and may be either enhanced or mitigated based on such factors as the employer’s business size, the employer’s “good faith,” the seriousness of the offenses, whether or not unauthorized workers had been employed, the employer’s history of prior offenses, and a “cumulative adjustment” based on so-called aggravating, mitigating or other factors involved in a particular case. Fines for simple errors, such as incomplete or incorrectly completed forms, range from $110 to $1,100 per violation. Fines increase to $375 to $14,050 per violation for “knowingly hiring or continuing to employ” unauthorized workers.
During the five year period from 2007 to 2012, ICE Audits of employer I-9 Forms increased from 250 to more than 3,000, an 1100% increase. In 2012, ICE issued more than $13 million in fines based on violations discovered during these Audits. More recently, a fine of over $228,000 was affirmed by an Administrative Law Judge against a Georgia construction company for (1) failing to ensure that 277 employees properly completed section 1 of Form I-9 and/or failing itself to properly complete section 2 of the Form; and (2) failing to prepare and/or present I-9 Forms for another 87 employees.
As part of its 2015 fiscal year Annual Performance Plan, the Office of Inspector General (OIG) will review the employer selection process utilized by ICE for I-9 Audits and will look at "whether ICE has effective policies and practices to identify and select businesses for I-9 inspections and re-inspections.” As a result of these anticipated policy changes, employers can expect the number of I-9 Audits and fines assessed by ICE to continue trending upwards in 2015.
The Firm’s Immigration Law Practice Group is experienced in counseling employers on I-9 employment verification and work authorization issues, including government I-9 Audits.
For more information on this Client Advisory, please contact:
Joseph DeGiuseppe, Jr., Chair, Labor and Employment and Immigration Practice Groups