CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for April, 2019

Massachusetts’ Will-o’-the-WISP

Posted on: April 24th, 2019

By: Zach Moura

Massachusetts revised its data breach notification law, effective April 10, 2019, to change the minimum standards for what companies should include in a Written Information Security Plan, or WISP. Companies that experience a data breach incident must now confirm in their breach notice to the Massachusetts Attorney General whether the company maintains a WISP and identify any steps taken or planned to take relating to the incident, including updating the WISP. The requirements apply to companies that handle personal information belonging to Massachusetts’ residents no matter where the company itself is located.

The revisions also reshape the requirements for notifications to impacted individuals. In data breach incidents in which Massachusetts residents’ Social Security numbers are exposed, Massachusetts now requires companies to offer 18 months of free credit monitoring services to impacted individuals. Entities must also now certify to the state’s Attorney General and Office of Consumer Affairs and Business Regulation (“OCABR”) that the credit monitoring services comply with the statute, and provide the name of the person responsible for the breach of security, if known. The revisions also obligate the OCABR to publicly post the sample notice on its website within one business day.

The new statute calls for rolling and continuous notifications to all impacted individuals as they are identified, rather than allowing a business to first determine the total number of impacted individuals before notifying them all at the same time. And if an investigation reveals more information on the data breach that, if known, would have been provided to the impacted individuals in the original notice, additional notices must be sent. Entities must also now identify any parent or affiliated corporation in the notification letter.

For any questions about the above, or whether a WISP complies with Massachusetts law, please contact Zach Moura at [email protected].

FMG Client Headed to Supreme Court in Landmark Title VII Case to Resolve LGBT Employment Standards

Posted on: April 23rd, 2019

The Supreme Court yesterday agreed to review two federal circuit court decisions that reached differing conclusions as to whether Title VII of the Civil Rights Act of 1964 covers sexual orientation. For approximately 40 years, the EEOC and the federal circuit courts have unanimously held that Title VII does not encompass sexual orientation. The EEOC changed its position in 2014 and determined that Title VII encompasses sexual orientation. The Seventh Circuit likewise reversed its position in 2017, and the Second Circuit changed its position in early 2018 and held in Zarda v. Altitude Express that Title VII encompasses sexual orientation. Later in 2018, the Eleventh Circuit re-affirmed circuit precedent and held in Bostock v. Clayton County that Title VII does not prohibit discrimination on the basis of sexual orientation. The Supreme Court agreed to review Bostock and Zarda and consolidated the two cases.

Freeman Mathis and Gary, LLP represents Clayton County in Bostock and will argue that Title VII does not apply to a claim of discrimination on the basis of sexual orientation.

In addition, the Supreme Court granted certiorari in the Sixth Circuit case of R.G. & G.R. Harris Funeral Homes v. EEOC. That case raises the question of whether Title VII provides protection to transgender persons. That case is similar in some regard to the Bostock and Zarda cases, however, their distinctions are evident in that the Court did not consolidate the Harris case with Bostock and Zarda.

In granting certiorari in the Harris case, the Supreme Court may revisit a concept outlined in its 1989 decision in Price Waterhouse v. Hopkins, which held that it was unlawful sex discrimination under Title VII to discriminate against employees because they do not conform to ideas of how a certain gender should behave.

These cases will be argued and decided sometime during the Court’s 2019-2020 term, which begins in October.

If you have any questions or would like more information, please contact us at [email protected].

Georgia Court of Appeals Provides Guideline for Drafting Enforceable Exculpatory Clauses in Georgia

Posted on: April 23rd, 2019

By: Bart Gary and Jake Carroll

Exculpatory clauses are terms in a contract that shift the risk of loss to the other party or a third-party, or attempt to limit one’s obligations under a contract. A typical exculpatory clause is a “limitation of liability” provision, which is commonly used in agreements for services—especially professional services, rendered by accountants, architect, engineers and consultants.

Attempts to limit one’s liability to agreed amounts are sometimes challenged in court on the ground that they violate “public policy,” but are nevertheless generally enforceable in Georgia, provided such clauses are “explicit, prominent, clear and unambiguous.”

While these requirements have been addressed in prior appellate decisions, in Warren Averett, LLC v. Landcastle Acquisition Corp.[1] the Georgia Court of Appeals discussed in detail the “prominence” requirement for limitation of liability clauses in a contract for accounting services. The Court observed that a number of factors are considered when evaluating the enforceability of an exculpatory clause or limitation of liability clause:

  • Font. The clause should not be in the same font size used throughout the contract. It should be “capitalized, italicized, or set in bold type for emphasis.”
  • Setoff. The clause should be set off in a separate section that specifically addressed liability or recoverable damages, with a bold, underlined, capitalized or italicized specific heading, such as “Limitation of Liability” or “DAMAGES.”
  • Location. The clause should be in a prominent place within the contract to emphasize the importance of the clause’s limitation on recoverable damages, such as being adjacent to another similarly significant provision or being next to the parties’ signature lines.[2]

These factors should be used as a guide for parties when drafting and negotiating contracts with exculpatory clauses. For example, in construction contracts, the parties should pay close attention to the font and location of indemnity and no-damage-for-delay clauses. In commercial and professional services contracts, common exculpatory clauses that merit close scrutiny address indemnity, limitation of lability, waivers of certain types of damages, and insurance terms.

Finally, while the opinion is helpful as concerns what is not prominent, it does not offer a clear statement of what is prominent. For example, does the font need to be bold, capitalized, and italicized, or will one choice work? In light of the Warrant Averett decision, it would seem that the more factors met, the less risk the clause is found unenforceable.

If you have questions regarding this decision, or any other contract drafting questions, please contact Bart Gary at [email protected] and Jake Carroll at [email protected]. Mr. Gary and Mr. Carroll practice construction and commercial law as members of Freeman Mathis & Gary’s Construction LawCommercial Litigation, and Tort and Catastrophic Loss practice groups as well as representing business and commercial entities in a wide range of disputes and corporate matters involving breach of contract, business torts, and products liability claims.

[1] Warren Averett, LLC v. Landcastle Acquisition Corp., 2019 Ga. App. LEXIS 178, Case no. A18A2117, March 13, 2019. (physical precedent only). Because one judge of the three-judge panel concurred in the judgment, the opinion is limited, physical precedent.
[2] 2019 Ga. App. LEXIS 178 at 9-10 (emphasis by the Court) (internal citations omitted).

SEC Issues Risk Alert Regarding Broker-Dealers and Investment Advisers’ Privacy Practices and Compliance with Regulation S-P

Posted on: April 22nd, 2019

By: Jennifer Lee

On April 16, 2019, the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert summarizing the findings from the examinations of broker-dealers and investment advisers’ privacy practices and compliance with Regulation S-P.

Regulation S-P, 17 C.F.R. § 248.30, was enacted to protect the privacy of customers and their information. It has three major components:

  1. Firms are required to provide their customers with a copy of their privacy policies and procedures at the initial outset of the relationship and also on an annual basis.
  2. Firms are prohibited from sharing customers’ nonpublic information with unaffiliated third parties unless the customer is given prior notice regarding such practices.
  3. Firms must inform customers that they have a right to opt-out of the firm’s data sharing practices with unaffiliated third-parties and provide a method in which customers can opt-out.

During the examinations, which spanned over the course of the past two years, the Office of Compliance Inspections and Examinations (“OCIE”) found common deficiencies in firms’ compliance with Regulation S-P. The OCIE found that some firms did not provide customers with the initial and/or annual privacy policies and procedures. In other instances, the privacy policies and procedures were inadequate to satisfy the requirements under Regulation S-P. For example, the policies and procedures failed to identify the precautions taken to ensure the integrity of customers’ information.

Even when firms gave the required notices and had satisfactory written policies and procedures on the books, the OCIE often found that such policies and procedures were not actually being implemented and firms’ practices diverged from the written policies and procedures. Customers’ personally identifiable information (“PII”) were sent via unencrypted emails and left in unsecured physical locations, firm employees had customer information on unsecured personal devices, and outside vendors were not vetted on their cybersecurity and privacy practices.

These findings are unsurprising because often when a new set of privacy or cybersecurity regulations is introduced, companies will invest an incredible amount of time and resources to develop policies and procedures that comply with the new requirements. Usually, most of this work is done by the COO or Chief Information Security Officer (“CISO”). However, it does not and cannot stop there as most enforcement actions and customer actions are brought based on the firm’s failure to implement its policies and procedures.

To reduce the risk of enforcement and customer actions, firms must ensure that the policies and procedures in its books are put into practice. This requires buy-in from everyone at the executive level—from the CEO to the CMO—and cooperation from multiple departments in the firm that may not necessarily work closely with each other on a regular basis. In addition, firms should shift their perspective on compliance with Regulation S-P and other privacy or cybersecurity regulation. It is not a one-off event. Instead, it should be seen as an active and on-going process that requires constant training and monitoring.

If you have any questions regarding your firm’s compliance with Regulation S-P or other privacy and cybersecurity regulations, please contact Jennifer Lee at [email protected].

Is Flood Insurance the Next Big Thing in California?

Posted on: April 19th, 2019

By: Matthew Jones

California’s winter has been quite wet given the significant amount of rain. With heavy rain comes flooding and mudslides. California is not used to either of those types of events; but maybe it should be. Recently, the Russian River flood in Sacramento, California has brought problems to residents in the region. Approximately 2,600 homes and businesses were damaged by the floods, as well as some automobiles. However, the flood problems do not stop there. Consumers are also running into insurance issues since traditional homeowners’ insurance does not cover flood damage.

So what should be done to protect your property from the next flood? The Department of Insurance answered that question by educating consumers on the need to purchase flood insurance. One thing to keep in mind, however, is that flood insurance typically does not take effect for 30 days. Also, there are various exclusions to coverage, including for earthquakes, landslides, land subsidence, sinkholes, destabilization or movement of land from water accumulation, or gradual erosion. So while flood insurance may provide some peace of mind in the event of a flood, potential property damage may not be covered in full.

Given the Department of Insurance’s press releases on the topic, as well as the constant and unpredictable climate change, it is likely that the amount of flood insurance policies issued will only increase.

If you have any questions or would like more information, please contact Matthew Jones at [email protected].