Directors- please consider yourselves legally on notice. News headlines rife with the latest corporate hacking abound. From TJX Companies, Target, Sears and Snapchat, to Home Depot, Community Health Systems, JPMorgan and Miami-based Total Bank, every board of directors must adapt to a changing cyber world to protect their companies. The U.S. SEC Commissioner stated recently that boards must increase their role regarding cyber security, from upping technical know-how within the board to following up with proper notification and disclosure of breaches.
What follows is a brief overview of legal standards and best practices, regardless of the size or assumed risk profile of any given company and board. While this overview is not intended as legal advice and is provided for informational purposes only, we hope our identification of issues here will highlight the wisdom of conversing early on with counsel.
The goal is to prevent, mitigate, and promptly manage costs in the aftermath of a cyber breach. These costs include increases in existing customer turnover and challenges to new client acquisition activity and decreases in positive reputation and goodwill. They also include securities fraud class actions and shareholder derivative actions based on harm to the corporation through, for example, significantly decreased stock prices.
Recent lawsuits nationwide are focused on directors’ conduct before, during, and after a cyber security breach. These generally allege that directors failed to implement or update security policies and that they even increased damages by failing to timely disclose (or ensuring that management timely discloses) data breaches in SEC-related public filings.
These suits specifically implicate breaches of fiduciary duties, such as the duties of loyalty, oversight, and care, as well as waste of corporate assets, gross mismanagement, abuse of control, and unjust enrichment. Disclosure liability is also at stake and involves a company’s public statements about cyber security protection measures, its risk level for a breach, and the magnitude of a breach upon occurrence.
State and federal regulators are also increasingly investigating breaches. The Federal Trade Commission, for instance, will look into unfair practices for a company’s failure to adopt appropriate cyber security measures. The FTC will also investigate deceptive trade practices for a company’s failures to properly communicate if and how its practices deviate from its policies. The Food and Drug Administration is looking into cyber threats to medical devices. And there is an uptick in ongoing regulation and negotiations with the U.S. Department of Justice, State Attorneys General, and state consumer protection agencies.
Directors should strongly consider adopting the following best practices to protect the business and legal interests of their boards and companies.
Restructure the board
A director or a committee should focus on cyber risk management. It should be separate from the audit committee and report directly to the full board. Boards should recruit directors with IT governance and cyber security risk experience. Mandatory cyber-risk education is recommended for directors. As part of its Critical Infrastructure Cyber Community Voluntary Program, the U.S. Department of Homeland Security has identified some resources that may assist boards in implementing a director cyber-risk education program.
Consider appointing a chief information officer (CIO), chief information security officer (CISO) and/or chief privacy officer (CPO), and regularly meet with them to review expectations and plans. These officers should head a department centered on information privacy and security that includes employees solely responsible for cyber security.
Also consider appointing a committee responsible for privacy and security. Its members can include the above officers, plus senior management from various departments. The committee should meet regularly and afterward report directly to the board. The board should also require a cross-organizational team of senior executives to meet regularly on privacy/security issues.
If an outside vendor is brought in, the contract with the vendor must address key issues, including security requirements, warranties, applicable security standards certifications (such as PCI), audit rights, service levels, backup systems, data-destruction policies and breach notification. But even if the company can protect its data without outside experts, the board periodically should engage independent outside consultants to audit the company’s cyber security practices and report their findings directly to the board. The board then should review any differences between the recommendations of outside consultants and company officers.
Review budgets and processes
The board should direct adequate funds towards cyber security. It should also regularly review the company’s incident response programs. Internally, it should establish chain of command for stopping intrusion, securing networks, and implementing prioritized recovery. Externally, it should establish policies regarding breach notifications to governmental authorities, markets, and customers. The board should further evaluate the process and diligence involved in selecting the company’s cyber vendors and the adequacy of employee training on these issues.
While standards vary by industry, the primary guidance source on widely-accepted best practices and standards is the National Institute of Standards and Technology (NIST) framework standards for cyber security. Regulators take into account the level of compliance with these. Secondary guidance sources include the International Organization for Standardization and the National Association of Corporate Directors, in conjunction with AIG and the Internet Security
Alliance. Standards should further be cross-checked with those of the IT Governance Institute and Information Systems Audit and Control Association (ISACA).
Specific measures can and should be instituted, such as requiring that a major software vulnerability be fixed within ten days of its identification. If not timely fixed, the company must explain any delay to senior managers and eventually to the board.
The board should ensure that the company has written security standards and practices as well as written breach-response protocols. The appropriate officers or committee, under the board’s
supervision, should periodically review and update these.
Oversee reporting systems
Actively monitor corporate performance by ensuring the company keeps sufficient reporting systems to keep the board informed of company risks and business performance. The board should oversee internal investigations, document due diligence, identify the laws of each state in which a breach’s effects are felt and/or impact such state’s residents (such as the Florida Information Protection Act of 2014), reconcile any interstate conflicts of law, and ascertain the proper timing and form to comply with notification requirements.
Company statements, reports, disclosures, and other required SEC filings should cover past breaches, both material and executed as well as immaterial and attempted. Courts consider a failure to disclose cyber incidents a material omission per recent SEC disclosure guidance.
Review your company’s insurance policies to determine the level of existing coverage for cyber attacks. Like other types of insurance, cyber insurance coverage varies in important ways. Typical coverage options include Directors and Officers (D&O), Comprehensive General Liability, and Cyber Insurance Policies.
Assess the company’s cyber security risk profile and valuate potential losses to ensure adequate insurance coverage. Internal costs to cover include business interruption costs, legal expenses, loss of digital assets, and response costs. External costs to cover include third-party damages, credit-monitoring, and customer notification.
Buy or pre-negotiate D &O liability policies to cover damages for claims against directors and officers that may arise from privacy breaches before any cyber attack occurs. The board should consider supplemental insurance specifically for privacy-related liability. Consider counteracting a privacy exclusion by adding qualifying language that covers, for instance, oversight liability or securities claims.
Finally, check the company’s formation documents and insurance policies to ensure maximum protection of directors and officers against personal exposure. Consideration should be given to appropriate drafting of provisions in the company’s governing documents releasing directors and officers from privacy liability and indemnifying them for losses arising from such liability. In certain cases, exculpatory provisions in a company’s corporate charter document or bylaws (to the extent permitted by applicable law) may preclude the bringing of particular types of claims against directors and officers altogether. Lastly, indemnity agreements can provide for advancement of defense costs during litigation and cover any settlements or monetary judgments when the case ends.
James M. Stillwaggon expands firm’s immigration practice, and Luis M. Artime brings general counsel and compliance experience to corporate practice
Miami, Fla., June 05, 2014 – Alvarez Arrieta & Diaz-Silveira, LLP, a prominent South Florida boutique transactional law firm, has announced the addition of two new attorneys, James M. Stillwaggon and Luis M. Artime to continue growing the firm through their significant practice area knowledge and industry experience.
“As a founder of Alvarez Arrieta & Diaz-Silveira, I knew that our long-term success was linked to our client-first approach and our ability to provide world-class legal counsel,” said Pedro (Tony) Alvarez. “Mr. Stillwaggon’s years of immigration practice leadership, and Mr. Artime’s perspective as general counsel for some of America’s most successful companies will be invaluable to our clients. We are thrilled to have them on our team.”
Prior to joining Alvarez Arrieta & Diaz-Silveira, James M. Stillwaggon spent nearly 30 years leading the New York corporate immigration practice for a U.S.-based global law firm. He regularly advised banks, corporations, institutions and high-net-worth individuals on a variety of issues regarding visas, immigration and citizenship. In addition, he has represented individuals in challenging contested removal proceedings.
Mr. Stillwaggon has served as a trustee of the Maternity and Early Childhood Foundation and as a member of the City Bar’s Council on Children. He was appointed to the American Bar Association’s Presidential Working Group on the Unmet Legal Needs of Children, the American Immigration Lawyers Association and is a faculty member at the Center for International Humanitarian Cooperation at Fordham University. At his prior firm, Mr. Stillwaggon led the domestic and international pro bono efforts of the firm.
Mr. Stillwaggon graduated from Villanova University in 1967 and received his J.D. from St. John’s University School of Law in 1974.
Stillwaggon stated, “As a Miami-based firm, Alvarez Arrieta & Diaz-Silveira is uniquely positioned to address the needs of multi-national corporations and individuals. I share their business philosophy and commitment to the community, and I look forward to serving the immigration needs of clients while growing the practice.”
Luis M. Artime has been practicing corporate transactional law for more than 30 years. His experience includes structuring and negotiating complex business transactions, mergers and acquisitions, venture and growth capital investments, commercial contracts, and real estate matters. He was the founding Miami partner for what is now the largest law firm in Florida, where he practiced for more than 19 years. His clients included investors, bankers, entrepreneurs, realestate developers and members of the health care industry.
From there, Mr. Artime transitioned to a decade of in-house legal work, most notably as Senior Associate General Counsel supporting Wal-Mart’s International operations. While there, he was promoted to lead the legal team responsible for supporting all of Wal-Mart’s U.S. stores’ operations. Before joining Wal-Mart, Mr. Artime was the Vice-President and General Counsel for BellSouth International, Inc. BellSouth International was a major wireless telephony operator in Latin America and Israel. Mr. Artime’s experience as corporate counsel included an extensive
In addition, he served as the Senior Vice-President and General Counsel of AHI Healthcare Systems, Inc., where he assisted the healthcare management company with its Initial Public Offering. Most recently, Mr. Artime was Global General Counsel and Chief Compliance Officer for Brightstar Corp., a global wireless telecommunication distribution and solutions company.
Mr. Artime graduated from Fordham University in 1973 and received his J.D. from the University of Pennsylvania Law School in 1976. Artime stated, “As a former general counsel, I understand the corporate legal environment, and know that working with the right advisers can make huge difference in forwarding business growth while also protecting company interests. Today’s complex business environment requires that corporate clients invest significant time and resources to ensure compliance. I look forward to strengthening this practice at Alvarez Arrieta & Diaz-Silveira.”
Wind power project the largest in Central American and Caribbean Region
Miami, Fla., May 6, 2014 – Alvarez Arrieta & Diaz-Silveira LLP (AADSLAW), a South Florida based corporate and transactional boutique law firm, has assisted its client, InterEnergy Holdings, a holding company that owns and operates power generation and distribution assets in Latin America and the Caribbean, in its investment in what is expected to be the largest wind power project in the Central American and Caribbean regions.
InterEnergy agreed with Unión Eólica Panameña S.A. to invest in a wind power project located in Penonme, Panama. With 215MW of total aggregate capacity and a total project investment of US $427 million, the project is expected to eliminate more than 400,000 tons of CO2 emissions and save nearly 900,000 barrels of oil per year when completed.
“This project’s interface risk was particularly complex because it involved negotiations with three contractors, as opposed to a single engineering, procurement and construction provider,” stated founding Partner Pedro “Tony” Alvarez. “This transaction demonstrates our firm’s strength in the renewable energy sector, and I commend the knowledgeable counsel provided by my colleagues.“
In addition to assisting InterEnergy execute its agreement with Unión Eólica Panameña S.A., the firm assisted InterEnergy’s negotiations with Goldwind USA on the turbine supply agreement for the project; with Instalaciones y Servicios Codepa, S.A. on the balance of plant agreement for the project and with Tree Logistics on the turbine equipment transportation and logistics agreement. Further to advising its client on the investment and project development matters, the firm also assisted InterEnergy in connection with a related $100 million bridge credit facility to partially finance the project. Banco Espirito Santo de Investimento, SA acted as mandated lead arranger and book runner for the credit facility. Construction for the project, which has already commenced, is expected to be completed in April 2015.
The Alvarez Arrieta & Diaz Silveira team included Partners Pedro Alvarez, Aracely Alicea and Lauren Hunt, assisted by Associates Colleen Grady and Brian Canida. Attorney Sandra Warren consulted with the firm on the equipment supply agreement with Goldwind USA.
Miami, Fla., January 08, 2014 – Alvarez Arrieta & Diaz-Silveira LLP (AADS), a leading South Florida boutique corporate and real estate transactional law firm, announced the promotion of founding associate, Aracely Alicea, to the position of partner.
“From the beginning, we knew that having Aracely with us would be essential to the long-term success of Alvarez Arrieta & Diaz-Silveira,” said Partner Pedro “Tony” Alvarez. “Her client-first approach, dedication to providing superior legal services and creative legal thinking sets her apart from her peers, and I’m so glad she chose to work with us at our founding. Today, no one could be more deserving of this promotion.”
Ms. Alicea focuses on international and domestic transactions and has represented clients with business and investment interests in Florida, Puerto Rico and other jurisdictions in the United States, Latin America and the Caribbean. Her legal experience includes mergers and acquisitions, joint ventures, asset-backed financings, bank transactions and general corporate and commercial advisory matters. She regularly represents investors, entrepreneurs and start-up companies in the areas of technology, renewable energy and other green industries. Most recently, her work with a Miami-based technology services company that provides turnkey solutions for stored value account and prepaid card services has set her apart in a cutting-edge segment of the market – the rapidly evolving payment technology solutions field.
Aracely is a member of the Business Law Section of the Florida Bar, as well as a member of the American Bar Association and its Business Law Section and Young Lawyers Division. She provides corporate/transactional pro bono legal services for local not-for-profit organizations, such as the Miami Children’s Museum and Catalyst Miami, and has supported the United Way of Miami-Dade as a Young Leader. She currently holds a leadership position with the Junior League of Miami (JLM), a women-focused educational and charitable organization; and serves as a member of the Board of Directors for Catalyst Miami, a non-profit organization advancing civic engagement in Miami. In addition, she is involved with the Brown Club of Miami, her alma mater’s local alumni organization.
“In joining Alvarez Arrieta & Diaz-Silveira, I chose to work with a team of people who inspire and challenge me professionally as well as allow me the flexibility to be the community-focused attorney that
has always been my passion,” stated Ms. Alicea. “I am very proud that our firm is known for providing exceptional legal services, and I look forward to growing the corporate practice while furthering the firm’s presence and positive impact in the South Florida community.”
Prior to joining AADS, Aracely practiced in the Miami office of a global New York-based law firm where she represented private and public entities in both complex transactions and routine business law
issues. She also previously practiced at a highly regarded Florida firm where she had the opportunity to focus on bank transactions and regulatory matters affecting the banking industry.
Aracely graduated from Brown University with a B.A. in Public Policy and American Institutions in 2000. She received her J.D., magna cum laude, in 2007 from the University of Miami School of Law where she was inducted into the Order of the Coif. She is fluent in both Spanish and English and is admitted to the practice of law in the State of Florida.
Miami, Fla., June 5, 2013 – Alvarez Arrieta & Diaz-Silveira, LLP, a leading South Florida boutique corporate-transaction law firm, continues to expand with the addition of a Private Client practice, which includes estate and wealth preservation planning, led by Partner Blas Cueto. In addition, Erik Christensen has joined the firm as an associate and will provide corporate transaction legal services.
Prior to joining Alvarez Arrieta & Diaz-Silveira, Blas practiced with a prominent boutique estate planning firm located in Miami, where he assisted both domestic and international clients in implementing their estate planning and taxation strategies. Blas advises clients and their families on a host of issues, specializing in estate planning, business succession planning, wealth preservation, estate and trust administration, and the implementation of meaningful charitable giving plans; including the establishment of not-for-profit entities, foundations and charitable trusts.
“Thoughtful estate planning is so much more than the distribution of assets,” said Blas Cueto. “It is the opportunity to define a legacy and establish a path forward for businesses, employees, families and charitable organizations. I believe my area of expertise is a perfect complement to the great work being done at Alvarez Arrieta & Diaz-Silveira, and I look forward to better serving our clients through expanded legal services.”
Blas earned his LL.M. in Estate Planning from the University of Miami School of Law in 2004. In 2003, he received his J.D. from the University of Florida, and was admitted to the Florida Bar the same year. During law school, Blas served as executive managing editor of the Florida Journal of International Law, and was an active member of the Spanish-American Law Students Association and the Law School Ambassadors Program. He graduated from the University of Miami in 2000 with a Bachelor of Business Administration in Finance. In addition to the Florida Bar, Blas is a member of the Dade County Bar Association and the Cuban-American Bar Association. He serves as class delegate for the Belen Jesuit Alumni Association and is a part of the Belen Jesuit Alumni Association Lawyers Section. Blas is also the past president of Business Networking International and was honored for his leadership winning the Most Valuable Member Award for the chapter in 2012. He was also recently recognized as a Florida Super Lawyers Rising Star.
“As we grow our practice, we look for top-caliber attorneys who possess the same commitment to personalized and cost-effective counsel,” stated Alejandro Arrieta. “We are thrilled to have Blas and Erik join our team and offer expanded legal services to our clients.” Erik Christensen has a wide range of experience that includes legal work on international and domestic transactions, mergers and acquisitions, debt and equity offerings, securities and bank regulatory filings, private equity and joint venture investments as well as corporate finance and project finance matters.
Prior to joining Alvarez Arrieta & Diaz-Silveira, Erik was an associate at Sullivan & Cromwell LLP in New York, where he supported the Financial Institutions and Corporate Finance practices. Prior to law school, Erik negotiated broadcast media agreements for the National Basketball Association.
Erik is a member of the New York State Bar Association and New York City Bar Association, and has been actively involved in voter protection initiatives in South Florida’s Miami-Dade and Lee Counties. He is also a past director of Community Legal Services of East Palo Alto. Erik graduated from Dartmouth College in 2002, magna cum laude, with a B.A. in Russian Language. He received his J.D. in 2008 from Stanford Law School where he was the co-editor in chief of the Stanford Journal of International Law and a U.S. Department of Education Foreign Language and Area Studies fellow. Erik is fluent in English and Russian, and is admitted to the practice of law in the State of Florida and the State of New York.