CLOSE X
RSS Feed LinkedIn Twitter Facebook
Search:
FMG Law Blog Line

Archive for the ‘Commercial Liability’ Category

SEC Issues Risk Alert on the Cybersecurity Practices of Registered Broker-Dealers, Investment Advisers, and Investment Funds.

Posted on: August 11th, 2017

By: Jennifer Lee

blog

The U.S. Securities and Exchange Commission (“SEC”) is becoming increasingly focused on cybersecurity issues in recent years as data breaches and ransomware attacks become more frequent and wide-spread across all industries. The most recent Risk Alert, issued on August 7, 2016 by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), shows that cybersecurity continues to be a high priority for the SEC in 2017.

The Risk Alert was based on an examination of the cybersecurity policies and practices of 75 broker-dealers, investment advisers, and investment funds over a nine-month period, from September 2015 to June 2016. The examinations focused on firms’ written policies and procedures regarding cybersecurity, including whether such policies were actually implemented and followed.

The 6-page report found that although most firms had cybersecurity policies in place, such policies were often too general and vague, as they did not articulate specific procedures for implementing the policies or examples of how employees can apply the policies in their daily work. In addition, even when firms had specific cybersecurity protocols in place, their actual practices were much more lax and did not reflect their stated policies and procedures. For example, firms often had policies requiring all employees to complete cybersecurity awareness training. However, they did not have a mechanism in place to enforce such requirements. The Risk Alert also pointed out that some firms were using outdated operating systems that were no longer supported by security patches and not taking measures to address the results of any penetrating testing.

In light of the findings, the report listed specific measures firms can take to ensure that their cybersecurity practice are “robust,” including:

  • Creating and maintaining an inventory of data and information, including classification of the risks of the disclosure of each category of data or information and business consequences in the event of such disclosures;
  • Tracking access and requests for access to data and information;
  • Following a regular schedule of system scans and updates, including security patches;
  • Establishing and enforcing controls concerning firm network and equipment, including protocols with respect to personal devices on firm networks; and
  • Requiring mandatory employee training on cybersecurity issues.

Cybersecurity incidents are a growing and costly problem for the financial services industry, and they do not appear to be going away anytime soon. The SEC has picked up on this and has begun to dedicate more resources to cybersecurity enforcement. In fact, last year, the SEC brought charges against Morgan Stanley Smith Barney LLC (“MSSB”) following a data breach involving customer data for failure to adopt written policies and procedures reasonably designed to protect customer records and information. MSSB, a dually registered broker-dealer and investment adviser, settled the matter by agreeing to a censure and a $1 million fine. With the release of the August 7, 2017 Risk Alert, it seems more likely now, more than ever, that firms will be held accountable for cybersecurity incidents, including data breaches and ransomware attacks, if they fail to implement the recommended measures and protocols contained in the Risk Alert.

However, SEC enforcement actions are not the only thing that broker-dealers and investment advisers need to worry about. As the public becomes more aware of cybersecurity issues, data breaches and ransomware incidents will result in the filing of customer claims. This may prove to be problematic as a single incident can affect thousands of customers, so a broker-dealer or an investment adviser may find itself trying to fight off thousands of individual actions or face a handful of actions involving a large number of customers, similar to a class action or a mass tort case.

To reduce the risk of an SEC enforcement action or customer actions based on cybersecurity incidents, broker-dealers and investment advisers should ensure that they are in compliance with SEC regulations and guidelines regarding cybersecurity, including but not limited to Regulation S-P, Exchange Act Rule 13n-6, and Exchange Act Rule 15c3-5—both on paper and in practice. Firms should also proactively implement any recommendations contained in OCIE’s Risk Alerts to the extent that they have not already.

If you have any questions regarding your firm’s compliance with SEC cybersecurity regulations or cybersecurity litigation in general, please contact the writer, Jennifer Lee, at [email protected].

Georgia’s New Garnishment Code

Posted on: November 10th, 2016

law-firm

By: A. Ali Sabzevari 

To collect money owed, judgment-creditors must typically file a garnishment action and serve the garnishee, such as an employer or financial institution, and the judgment-debtor.  The State of Georgia has a new garnishment code that took effect in May, 2016 that governs these garnishments.

Senate Bill 255 was passed by the Legislature to repeal and replace the existing garnishment code in Georgia.  This bill was drafted in response to a Georgia federal court finding that the existing garnishment code was unconstitutional in part because it did not provide adequate protection for claims of exempt funds.

The following are of some of the key changes in the new garnishment code:

  • There have been changes to garnishments filed by judgment creditors against financial institutions.  Under the new code, the applicable coverage period for a financial institution garnishment has been reduced from 30 days to just 5 days. Non-financial institution garnishments still have a 30 day coverage period.
  • The time-period for continuing wage garnishments is 180 days with the ability to refile.
  • The answer deadline for a financial institution has been reduced to 15 days after service.
  • The new code clarifies funds that are exempt and explains the process for recovery if taken improperly.
  • The pre-judgment garnishment code (O.C.G.A. § 18-4-40 through 18-4-48) has been repealed and prejudgment garnishment is no longer a remedy in Georgia.
  • When no claim has been filed and no traverse has been filed within 20 days after the garnishee files an answer (as opposed to 15 days under the old code), the judgment-creditor can apply for the funds deposited into the registry of the court.
  • Finally, the new code outlines what a judgment debtor should do if exempt money has been taken and also requires that a hearing be held within 10 days after an exemption claim is filed.

The new garnishment code contains many other changes that apply to judgment-creditors, garnishees, and judgment-debtors.  The attorneys at Freeman Mathis & Gary, LLP can help you navigate and streamline the process for garnishments and disputes, including those pertaining to exempt funds.

For more information regarding garnishments in Georgia, or if you have been served with or need to serve a garnishment, please contact A. Ali Sabzevari at [email protected] or 770.303.8633.

Higher Screening Standards Needed to Prevent Fentanyl Misappropriation in Hospitals

Posted on: November 4th, 2016

remigho-syringeBy: Robyn Flegal

A disturbing trend is on the rise. Hospital employees are misappropriating drugs intended for patients. The drug of choice is fentanyl, which has been used as a prescription painkiller since the 1960s, but is up to fifty times more powerful than heroin and up to 100 times more potent than morphine.[1] In some areas of the United States, deaths resulting from fentanyl overdoses are more prevalent than deaths resulting from heroin overdoses.[2]

Several newsworthy cases illustrate this trend toward fentanyl misappropriation by hospital staff. A nurse in Colorado is suspected of misappropriating fentanyl intended for patients after she was found with fentanyl doses exceeding the amounts nurses typically need for their patients.[3] A month before, in another Colorado hospital, a surgical technician was arrested for allegedly tampering with “a syringe containing fentanyl citrate by removing the syringe containing [fentanyl] and replacing it with a similar syringe containing ‘other substances.’”[4] Other hospital employees, including surgical technicians,[5] emergency medical technicians,[6] and pharmacy technicians[7] have been investigated for similar circumstances of fentanyl misappropriation.

Hospitals should be aware of this dangerous trend and should limit employee access to fentanyl. Hospitals should implement thorough screening procedures and background investigation before hiring employees who will have access to fentanyl. The surgical technician mentioned above had previously been fired after testing positive for a controlled substance, but he answered “no” on his job application as to whether he had ever been fired from employment as a surgical technician.[8] It is important to be aware, however, that even the most thorough background screening may not prevent fentanyl misappropriation in every instance. One of the pharmacy technicians under investigation for replacing fentanyl with saline solution passed a criminal background check and his reference check did not raise any red flags.[9]

[1] Katharine Q. Seelye, Heroin Epidemic is Yielding to a Deadlier Cousin: Fentanyl, N.Y. Times, March 25, 2016, http://www.nytimes.com/2016/03/26/us/heroin-fentanyl.html?_r=0.

[2] Id.

[3] Noelle Phillips, Nurse Accused of Stealing Fentanyl from Summit County Hospital, Denver Post, March 19, 2016, http://www.denverpost.com/2016/03/19/nurse-accused-of-stealing-fentanyl-from-summit-county-hospital/.

[4] Elizabeth Hernandez, Feds Arrest Swedish Medical Surgical Tech Accused of Stealing Drugs, Denver Post, February 16, 2016, http://www.denverpost.com/2016/02/16/feds-arrest-swedish-medical-surgical-tech-accused-of-stealing-drugs/.

[5] Lane Lyon, Former Rose Hospital Employee Admits to Needle Swapping, July 3, 2009,  http://www.thedenverchannel.com/news/former-rose-hospital-employee-admits-to-needle-swapping.

[6] U.S. Attorney’s Office, Raymond Man Sentenced for Diverting Fentanyl at Exeter Hospital, August 29, 2014,  https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/raymond-man-sentenced-for-diverting-fentanyl-at-exeter-hospital.

[7] KSN-TV, Pharmacy Tech Swapped Fentanyl for Saline Solution, Hospital Says, October 27, 2016,  http://ksn.com/2016/10/27/pharmacy-tech-swapped-fentanyl-for-saline-solution-hospital-says/

[8] Elizabeth Hernandez, Feds Arrest Swedish Medical Surgical Tech Accused of Stealing Drugs, Denver Post, February 16, 2016, http://www.denverpost.com/2016/02/16/feds-arrest-swedish-medical-surgical-tech-accused-of-stealing-drugs/.

[9] KSN-TV, Pharmacy Tech Swapped Fentanyl for Saline Solution, Hospital Says, October 27, 2016,  http://ksn.com/2016/10/27/pharmacy-tech-swapped-fentanyl-for-saline-solution-hospital-says/

 

 

 

District Court Dismisses Suit for Failure to Meet the Pleadings Requirements Under the U.S. Telephone Consumer Protection Act

Posted on: October 3rd, 2016

Headset on a laptop computer keyboardBy: A. Ali Sabzevari

A federal judge recently dismissed a class action lawsuit accusing CrossCountry Mortgage, Inc. of contacting consumers nationwide with unsolicited calls, finding that plaintiffs did not clearly show the mortgage lender made the calls in dispute. Filed in May, the lawsuit alleged that CrossCountry contracted with Direct Source to conduct a telemarketing campaign to promote CrossCountry’s mortgages. The lawsuit alleged the defendants’ “overzealous marketing” included repeated, auto-dialed or “robo” calls to consumers’ cellphones without their consent.  The Judge dismissed claims that CrossCountry violated the U.S. Telephone Consumer Protection Act, 47 U.S.C.§ 227 et seq. (“TCPA”).

Passed in 1991 to limit nuisance phone calls, the TCPA bars automatically dialed calls to cell phones without permission.  Companies are not generally liable under the TCPA for calls made on their behalf by third-party telemarketers, but they can be liable if the telemarketer acted as their agent. Under FCC rules, a telemarketer may be an agent if it received a script from the company to use on calls or proprietary information about the company’s products or customers.

To state claim under 42 U.S.C. § 227(b), a complaint must allege that a defendant (1) made any call, (2) using any automatic telephone dialing system, (3) to any telephone number assigned to a pager service or cellular telephone service, (4) absent the prior express consent of the recipient.  To state a claim under § 227(c), moreover, a plaintiff must allege (1) receipt of more than one telephone call within any 12-month period (2) by or on behalf of the same entity (3) in violation of the regulations promulgated by the FCC.

The district court found that plaintiffs failed to allege that CrossCountry physically made or initiated the disputed calls or that Direct Source was acting as CrossCountry’s agent when it made calls.  Attorneys should be cognizant of the federal pleading requirements, especially in cases involving the TCPA, where a failure to plead with specificity could result in a quick dismissal of the lawsuit.

The case is Seri v. CrossCountry Mortgage, Inc. et al., U.S. District Court, Northern District of Ohio, Case No. 16-cv-01214-DAP (Sept. 28, 2016).