Automobile & Other Motor Vehicle Businesses Must Prepare For New FTC Rules


Automobile and other impacted motor vehicle sellers and related businesses should begin preparations to comply with a recently proposed Federal Trade Commission (“FTC”) consumer protection rules targeting certain motor vehicle seller’s marketing, sales, leasing and financing practices proposed in the recently published FTC Motor Vehicle Dealers Trade Rule Notice of Proposed Rulemaking (“Proposed Rule”) as well as submit any relevant comments on the Proposed Rule by the September 12, 2022 comment deadline.

If adopted as currently proposed, the Motor Vehicle Dealers Trade Rules would impose substantial new compliance, training and documentation requirements automobile and other vehicle businesses.  Among other things, the Proposed Rule will:

  • Prohibit motor vehicle dealers from making certain misrepresentations in the course of selling, leasing, or arranging financing for motor vehicles;
  • Require “accurate pricing disclosures” in dealers’ advertising and sales discussions;
  • Require dealers to obtain consumers’ express, informed consent for charges;
  • Prohibit the sale of any add-on product or service that confers no benefit to the consumer; and
  • Require dealers to keep specified records of advertisements and customer transactions.

The Commission says the Proposed Rule is needed to protect service members and other consumers against “unscrupulous auto dealers” using “payment packing” (slipping unwanted add-ons into a purchase agreement), bait-and-switch tactics, extra junk fees and other unscrupulous and predatory auto sales practices.  To combat these practices, the Proposed Rule would:

  • Ban bait-and-switch claims: The proposal would prohibit dealers from making a number of deceptive advertising claims to lure in prospective car buyers such as the cost of a vehicle or the terms of financing, the cost of any add-on products or services, whether financing terms are for a lease, the availability of any discounts or rebates, the actual availability of the vehicles being advertised, and whether a financing deal has been finalized, among other areas. Once in the door or on the hook, consumers face the fallout of false promises that don’t pan out.
  • Ban fraudulent junk fees:  The proposal would prohibit dealers from charging consumers junk fees for fraudulent add-on products and services that provide no benefit to the consumer (including “nitrogen filled” tires that contain no more nitrogen than normal air).
  • Ban surprise junk fees: The proposal would prohibit dealers from charging consumers for an add-on without their clear, written consent and would require dealers to inform consumers about the price of the car without any of optional add-ons.
  • Require full upfront disclosure of costs and conditions: The proposal would require dealers to make key disclosures to consumers, including providing a true “offering price” for a vehicle that would be full price a consumer would pay, excluding only taxes and government fees. It would also require dealers to make disclosures about optional add-on fees, including their price and the fact that they are not required as a condition of purchasing or leasing the vehicle, along with disclosures to consumers with key information about financing terms.
  • Recordkeeping Requirements.  Require dealers to maintain specific records of marketing, sales and leasing and other activities.
  • Authorize FTC Recoveries.  The proposed rule also would allow the Commission to recover money when consumers are misled or charged without their consent.

Dealers impacted by the Proposed Rules should anticipate that the Proposed Rule, if adopted as proposed, the Proposed Rule will require significant changes in their marketing, sales, disclosure, recordkeeping, training and compliance practices.

Dealers concerned about the scope and burden of these proposed requirement should consider submitting well-reasoned comments on the Proposed Rule before the September 12, 2022 comment deadline.  Pending the finalization of the Proposed Rule, dealers should keep in mind that significant risk already arises from the enforcement of existing laws against perceived abuses in motor vehicle marketing, sales and leasing, financing and other business practices by the Commission, state regulators and private litigants.  Consequently, in addition to preparing to comply with the Proposed Rules when adopted, dealers should review and tighten their current practices to minimize their already existing exposures from lax or overreaching practices.

The Proposed Rule and related automobile marketing and sales consumer protection efforts is only one of a plethora of stepped up regulatory and consumer protection initiatives targeting a broad range of industries and practices the FTC currently is pursuing. All organizations and their leaders should review and monitor these FTC activities and take the appropriate documented steps to ensure that their organizations practices are updated and backed by compliance and risk management programs and practices with the necessary internal and external controls, governance and oversight to monitor and maintain compliance and identify and respond to new requirements and incidents with appropriate process, intervention and documentation to defend compliance and mitigate other cyber-related risks for their organizations, their investors and their leaders.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of  management work, public policy leadership and advocacy, coaching, teachings, and publications on workforce, compliance and other management related performance, risk management, compliance, governance, crisis, regulatory and public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public companies of all types and sizes, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, lending, occupational injury, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of a host of industry and operation specific internal and external compliance, risk management and operations concerns.

As a part of this work, she also has worked closely with automobile and other retailers and wholesalers, banks and other finance, real estate, health care, insurance, manufacturing, technology and data, advertising and marketing and a host of other highly regulated businesses, their leaders, investors, creditors, employee benefit plans, consultants to design, administer and defend a broad array of industry and operation-specific internal and external compliance, risk management, governance and other controls and practices as well as to anticipate and respond to federal and state legislative, regulatory, investigatory and enforcement including the Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; private litigation and other enforcement.

Ms. Stamer also has decades of leadership experience in a wide range of professional, civic and community organizations including service as incoming American Bar Association (ABA) International Section Life Sciences Committee Chair, continuing ABA Intellectual Property Section Law Practice Management Committee Chair, Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, incoming ABA TIPS Medicine & Law Committee Chair-Elect, returning incoming RPTE Law Practice Management Chair and Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relaationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Posted in Board of Directors, Compliance, Internal Controls, marketing, Performance Management, Risk Management, Uncategorized | Tagged , , , , , , , , | Leave a comment

Texas Supreme Court Extends Special COVID-19 Landlord-Tenant Eviction Rules


The Texas Supreme Court’s Fiftieth Emergency Order Regarding the COVID-19 State of Disaster (50th Order”) published today (April 20, 2022) reissues the judicial relief and procedures previously in effect under its Forty-Eighth Emergency Order (Misc. Dkt. No. 22-9015) in light of the U.S. Department of Treasury’s allocation of additional rental assistance funds to the Texas Department of Housing and Community Affairs (“TDHCA”) for the Texas Eviction Diversion Program.

Under the 50th Order, any Texas action for eviction to recover possession of residential property
under Chapter 24 of the Texas Property Code and Rule 510 of the Texas Rules of Civil
Procedure based, in whole or part, on the nonpayment of rent must comply with additional requirements and procedures beyond those typically required for residential convictions in the absence of the COVID-19 health care emergency.

Review the requirements of the 50th Order here.

Landlords and tenants contemplating or dealing with eviction or unpaid rent enforcement should review and follow these orders carefully.

More Information

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

Well-known for her extensive work with health and life sciences, insurance, employee benefits, health and other insurance, financial services, technology, energy, manufacturing, retail, hospitality, government contractors, governmental and other highly regulated employers, her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources, employee benefits, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications. For additional information about Ms. Stamer, see CynthiaStamer.com, her LinkedIn Profile or e-mail her directly.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources at SolutionsLawPress.com including the following:

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™   For information about republication, please contact the author directly.  All other rights reserved.

Posted in COVID, landlord tenant, Uncategorized | Tagged , , | Leave a comment

SEC Proposed Cybersecurity Rules Reenforce Tighten Requirements & Highlight Imperative For Market Involved & Influencing Businesses & Leaders To Clean Up Cybersecurity Practices & Disclosures


Public companies and other market participating or influencing companies and their leaders should begin preparing to comply with enhanced cybersecurity risk management, disclosure, strategy, governance and incident reporting and response requirements of a Proposed Rule the Security and Exchange Commission (“SEC”) published in today’s (March 9, 2022) Federal Register.  Published on the heels of the SEC’s announcement of plans to hold public companies and their leaders accountable for lax cybersecurity risk management and disclosure, the SEC’s promotion of the Proposed Rule is one of a growing series of SEC and other federal agency initiatives ratcheting up responsibilities and legal liability risks of organizations and their executives in the face of growing cybersecurity threats. In the face of these rising risks, public companies and their leaders should move promptly to conduct documented assessments of the adequacy of their existing cybersecurity safeguards, risk assessments and breach detection and response practices within the protective scope of attorney-client privilege as soon as possible considering the requirements of the Proposed Rule and other rapidly evolving rules, precedent and cyberthreats.  Meanwhile, individuals and organizations wishing to comment on the Proposed Rule should submit their comments as soon as possible and no later than May 8, 2022, which is the last day of the 60-day comment period established in the Proposed Regulation.

Cybersecurity Risks & Responsibilities Of Companies & Their Leaders Rising

With cybersecurity threats and compliance concerns growing, the SEC is prioritizing cybersecurity investigation and enforcement against public companies and other market participants for lack cybersecurity governance, safeguards or disclosures.  See e.g., SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations.  Along announcing its commitment to hold market involved and impacting regulated entities accountable for failing to maintain and enforce appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, training and awareness, investor disclosures and other practices.

Beginning in 2019, the SEC strengthened its warnings to public companies and other market involved and influencing organizations and has begun more aggressively investigating and pursuing enforcement against companies that fail to fulfill their SEC cybersecurity obligations. As public companies and investor losses from data breaches, malware and other cybersecurity have continued, taken enforcement action against various public companies that experienced significant drops in stock value due to malware, data breach or other cybersecurity incidents.  See here.  For instance, in August, 2021, London-based educational publishing giant Pearson plc, agreed to pay $1 million to settle SEC charges that it had inadequate cybersecurity disclosure controls and procedures and made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. In its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion already had occurred.  Also in a July 2019 media statement, Pearson stated that the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and falsely that Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also omitted that millions of rows of student data and usernames and hashed passwords were stolen. The SEC order further found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach and that Pearson waited to inform investors about the breach until after contacted by the media.  After the SEC issued an order that found Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder, without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.

Until recently, these cybersecurity enforcement actions focused primarily on entities.  Last summer, however, the SEC announced that along with continuing its enforcement against public companies and other market involved and impacting companies for cybersecurity deficiencies, it now intends to purse enforcement against officers, directors or other leaders of companies that allow these deficiencies.  Coincident with this announcement, the SEC made good on its promise to prosecute individual leaders by suing leaders of three companies accused of violating SEC cybersecurity controls, governance, and disclosure rules..  See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

Newly Proposed SEC Cybersecurity Rule Clarifies Expectations, Facilitates Noncompliance Enforcement Against Public Companies & Leaders

The SEC publication of the Proposed Rule both reenforces its prior cybercompliance warnings and adds more teeth to the SEC’s efforts to monitor, investigate and enforce its rules against market involved and impacting regulated entities and their leaders that fail to fulfill their cybersecurity obligations.

The “clarifications” in the Proposed Rule define minimum expectations for public company management and disclosures to investors about their cyber risk management, strategy, and governance and requiring public companies to notify investors of material cybersecurity incidents very quickly.

Among other things, the Proposed Rule will require that public companies:

  • Amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within 4 business days after the registrant determines that it has experienced a material cybersecurity incident;
  • Add new Item 106(d) of Regulation S-K and Item 16J(d) of Form 20-F to require registrants to provide updated disclosure relating to previously disclosed cybersecurity incidents and to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents has become material in the aggregate; and
  • Amend Form 6-K to add “cybersecurity incidents” as a reporting topic.

The Proposed Rule also will require enhanced and standardized disclosure about public company cybersecurity risk management, strategy, and governance by:

  • Adding Item 106 to Regulation S-K and Item 16J of Form 20-F to require a registrant to:
  • Describe its policies and procedures, if any, for the identification and management of risks from cybersecurity threats, including whether the registrant considers cybersecurity as part of its business strategy, financial planning, and capital allocation; and
  • Require disclosure about the board’s oversight of cybersecurity risk and management’s role and expertise in assessing and managing cybersecurity risk and implementing the registrant’s cybersecurity policies, procedures, and strategies; and
  • Amending Item 407 of Regulation S-K and Form 20-F to require disclosure regarding board member cybersecurity expertise including disclosure in annual reports and certain proxy filings if any member of the registrant’s board of directors has expertise in cybersecurity, the name(s) of any such director(s) and any detail necessary to fully describe the nature of the expertise; and
  • Requiring public companies present the cybersecurity disclosures in Inline eXtensible Business Reporting Language (Inline XBRL).

Given the SEC’s announced cybersecurity priorities, most commentators expect the SEC to move promptly to implement the Proposed Rule after the comment period ends on May 8. If these expectations prove true, market participating and influencing entities and their leaders already at risk under preexisting enforcement priorities will have to move quickly to clean up their compliance and fulfill their new responsibilities.

Managing existing risks and meeting these new requirements will be complicated by the need or advisability for many of the impacted public companies and their leaders to consider and appropriately address longstanding and newly expanding SEC and other cybersecurity exposures and disclosures.  Aside from meeting the particulars of the new requirements going forward, companies also should be prepared to address preexisting cybersecurity exposures under existing SEC and other laws, regulations and contracts.

In conducting these activities, organizations and their leaders should keep in mind that their SEC cybersecurity obligations and exposures include both SEC specific new and unresolved historical obligations as well as cybersecurity risks arising from other operational, contractual and regulatory sources.

Federal electronic crimes, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act (“FACTA”), the Internal Revenue Code, and a plethora of other federal and state laws long have required or made highly advisable that organizations and their leaders include appropriate cybersecurity governance, security, breach detection and response, disclosure and mitigation obligations in their Federal Sentencing Guideline or other organizational compliance programs.

To adequately fulfill the SEC expectations, corporations and their leaders generally also will need to assess compliance, controls and exposures considering other cybersecurity duties and risks from key components of public company and other organizations’ operations, heightened exposures to private litigation, audits, investigations and enforcement and other cybersecurity responsibilities and risks subsumed within their public company and employee benefit plan operations.  See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards ;Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax Cybersecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Management; HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats; Check Up Updated FinCEN Advisory on Ransomware For Opportunities To Strengthen Defenses; Raise Cybersecurity & Cyberbreach Compliance & Risk Management To Defend Against Rising Cyber Regulatory & Enforcement Risks; DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards.

As the conduct of the compliance and risk assessments necessary to evaluate and determine actions required or recommended in response to the emerging SEC and other cybersecurity obligations and risks could uncover and involve discussions of obligations and options for responding to known or suspected past or existing noncompliance risks, organizations and leaders should conduct their audit and analysis to the extent possible with the guidance of and within the scope of attorney-client privilege.

As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen  cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures.  In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources,  government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis.  Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations.  As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts.  Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification,  insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

Organizations and their leaders also should ensure that their compliance programs are backed up with appropriate governance and oversight to monitor and maintain compliance, address emerging issues and identify and respond to new requirements and incidents with appropriate process and documentation to defend compliance and mitigate other cyber-related risks for their organizations, their investors and their leaders.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public companies of all types and sizes, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2022 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Posted in Uncategorized | Leave a comment

Check Up Updated FinCEN Advisory on Ransomware For Opportunties To Strengthen Defenses


The Department of Treasury Financial Crimes Enforcement Network (FinCEN) updated its 2020 advisory on ransomware and the use of the financial system to facilitate ransom payments on November 8 to add financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions associated with ransomware payments, consistent with their obligations under the Bank Secrecy Act.   The updates also adds information released by FinCEN in its recent Financial Trend Analysis discussing current trends and typologies of ransomware and associated payments as well as recent examples of ransomware attacks.  FinCEN hopes the updates will help disrupt criminal ransomware actors.

The updated information comes when financial organizations and other businesses face growing legal and business pressures to shore up ransomware and other cyber security safeguards to defend against the business risks associated with the rising tide of ransomware and other cybersecurity threats and heightened legal risks organizations and their leaders face from heightened regulatory responsibilities and and enforcement initiatives recently announced by the Biden-Harris Administration in an effort to get organizations to shore up defenses against these threats.

Government Contractors False Claims Act Risks

For instance, on October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.  See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other SafeguardsMay 12, 2021 Executive Order on Improving the Nation’s CybersecurityJuly 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Federal Health Program Participating Health Care Providers And Plans. 

The DOJ Cyber-Fraud Initiative follows a similar interpretation of the Department of Health & Human Services (“HHS”) Office Inspector General (“OIG”) about the cybersecurity and cyberbreach compliance requirements health care providers and health plan issuers participating in Medicare and certain other federally funded health care programs (“Medicare Participating Providers”) are accountable to meet under the Conditions of Participation for those programs.  HHS OIG’s construction of these Conditions of Participation as including cybersecurity and cyberbreach compliance signs that Medical Participating Providers with deficient cybersecurity practices now may risk program disqualification and False Claims Act liability along with their already well-known exposure to civil monetary penalties under the Health Insurance Portability & Accountability Act (“HIPAA”) protected health information privacy, security and data breach rules.

Health & Other Employee Benefit Plans & Their Fiduciaries

Health plans and other employee benefit plans, their fiduciaries, record keepers and service providers also face growing cybersecurity responsibilities and risks.  While HHS Office of Civil Rights (“OCR”) continues to clarify and expand its interpretation, investigation and enforcement of HIPAA privacy, security and data breach rules against health plans, health care providers, health care clearinghouses and their business associates, the Department of Labor Employee Benefit Security Administration is turning up the heat on employee benefit plan fiduciaries to prudently protect their employee benefit plan assets and participants against cyberthreats.

On April 14, 2021, the Department of Labor Employee Benefit Security Administration (“EBSA”) made official its interpretation of the duty of prudence applicable to employee benefit plan fiduciaries under Section 404 of the Employee Retirement Income Security Act (“ERISA”) includes a duty for ERISA-covered employee benefit plan fiduciaries to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. The April 14 announcement makes official EBSA’s interpretation of the duty of prudence applicable to fiduciaries of ERISA-covered employee benefit plans as extending to a duty to act prudently to safeguard plan assets and plan participants against cybersecurity threats.

Concern about cyberthreats to private employee benefit plans covered by ERISA, their participants and beneficiaries has soared as massive data breaches  Federal Thrift Savings PlanAnthemCapital One,  the Public Employees Retirement Association of New Mexico and other employee benefit plans, their vendors and service providers increasingly have impacted millions of employee benefit plans, their accounts and participants.

While Congress chose to subject health plans to the detailed health privacy, security and breach rules of HIPAA and financial and certain other employee benefit plan service providers to consumer financial disclosure and data information security requirements of laws like Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and even employers and others conducting background and other credit checks to the  Fair Credit Reporting Act, growing awareness of the cyberthreat to employee benefits has not prompted Congress to date to extend those laws or otherwise to enact express statutory requirements for employee benefit plans and their fiduciaries.  However, private litigants and others increasingly have speculated that a fiduciary duty to safeguard plan asset against cyberthreats might be subsumed in the obligation of fiduciaries under Section 404 of ERISA at all times to act with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” See, e.g., See Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management.

While EBSA has worked to formulate its recently announced positions, private litigants increasingly have begun debating the applicability and effect of ERISA on cyberbreaches involving ERISA regulated plans.  See e.g., In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2015 WL 7443779, at *1 (N.D. Cal. Nov. 24, 2015)(holding Anthem entitled under ERISA to remove claims to federal court and refusing employee benefit plan participants’ motion to remand to state court state claims arising from data breach); In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016)(refusing to dismiss participant claims against non-Anthem defendants for lack of standing), motion reconsideration denied In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2016 WL 324386 (N.D. Cal. Jan. 27, 2016); Bartnett v. Abbott Lab’ys, No. 20-CV-02127, 2021 WL 428820, at *5 (N.D. Ill. Feb. 8, 2021) (dismissing breach of fiduciary duty claim based on inadequate evidence); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *21 (D. Or. Feb. 9, 2017). While mostly unsuccessful to date for procedural or factual sufficiency reasons, the preemption issues argued in many of these cases support concerns that under the proper circumstances ERISA could apply to breaches involving plans or their participants.  As these and other actions continue to wind their way through the courts, EBSA also has begun to acknowledge that ERISA plan fiduciaries duties of prudence include cybersecurity responsibilities.

EBSA’s first official recognition of a cybersecurity responsibility by plan fiduciaries appears in the Default Electronic Disclosure by Employee Pension Benefit Plans Under ERISA Final Rule (the “Electronic Disclosure Rule”), which took effect July 27, 2020 . In the discussion of its requirements regarding website-based electronic disclosures in Subpart (e)(3), the Electronic Disclosure Rule requires that “[T]he administrator must take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.”  Similarly, the requirements for using e-mail to provide electronic disclosures in Subsection (k)(4) of the Electronic Disclosure Rule require the plan administrator to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.”  While recognizing these cyber security responsibilities in the Electronic Disclosure Rule, however,  EBSA explained in the Preamble to the Electronic Disclosure Rule that it decided not to include more cumbersome cybersecurity requirements in the Electronic Disclosure Rule out of concern over the cost and other burdens of such requirements.  Nevertheless, the Electronic Disclosure Rule imposed a responsibility by plan fiduciaries of employee benefit plans making electronic disclosures to ensure that electronic recordkeeping systems have in place reasonable controls, adequate records management practice, and other measures calculated to protect Personally Identifiable Information.

EBSA’s April 14, 2021 reflects EBSA now views the fiduciary responsibilities of ERISA-covered employee benefit plan fiduciaries generally as including the responsibility to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. Beyond acknowledging a duty to take prudent steps to protect plans assets and participants against internal and external cybersecurity threats, EBSA also shared the following three resources to help plan sponsors, fiduciaries and participants to safeguard benefit plans and personal information against emerging cyber threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.

Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.

Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss

Participants in Securities Markets, Market Infrastructure Providers & Vendors. 

Meanwhile the Securities and Exchange Commission (“SEC”) also has made clear its expectation that all firms participating in the securities markets, market infrastructure providers and vendors will appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency. Consistent with the shared understanding of best cybersecurity practices shared with the agencies, the SEC guidance makes clear its market involved and impacting regulated entities are accountable for maintaining and enforcing appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention,mobile security, incident response and resiliency, vendor management, training and awareness and other practices.  See  SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations.  Recently announced enforcement actions demonstrate that the SEC is acting on its promise to go after SEC regulated entities that breach these expectations.  See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

These and other recently announced federal regulatory and enforcement developments send a clear message to businesses and their leadership, employee benefit plan sponsors, fiduciaries, record keepers and other vendors, SEC securities market involved organizations and others to clean up their cybersecurity compliance and risk management.  Beyond the governmental enforcement risks these developments signal, these and other emerging regulatory developments provide added fuel for the already substantial private litigant and government complaints, investigations and prosecutions against businesses, their leaders, their employee benefit plan fiduciaries, record keepers and other service providers,and others.   and their leaders unable to defend the adequacy of their cybersecurity related practices.

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

In the face of these developments, all businesses, employee benefit plan fiduciaries, their employer and other sponsors, record keepers and other vendors and their leaders should prioritize cybersecurity compliance, risk management, oversight and controls.  As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen  cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures.  In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources,  government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis.  Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations.  As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts.  Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification,  insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public employer, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

 

Posted in Uncategorized | Tagged | Leave a comment

Raise Cybersecurity & Cyberbreach Compliance & Risk Management To Defend Against Rising Cyber Regulatory & Enforcement Risks


Businesses, their employee benefit plan fiduciaries, their employer and other sponsors, their record keepers, financial advisors and other service providers and other business partners face growing pressure to shore up cyber security and cyber breach compliance and other safeguards to defend against a slew of  new and ongoing federal cyber security and breach regulatory and enforcement the Biden-Harris Administration is rolling out in its effort to stem the rising tide of  cybersecurity incidents.

Agencies Targeting Businesses, US Entities & Their Leaders For CyberSecurity & CyberBreach Regulation & Enforcement

The DOJ Civil Cyber-Fraud Initiative is the latest in a growing list of new regulatory and enforcement programs placing pressure on U.S. businesses and their leaders to get serious about cybersecurity.  Examples of some of the more far reaching of these new or continuing programs include:

Government Contractors

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.  While adding new exposures to the already substantial exposures  federal government contractors and grant recipients already face for failing to comply with applicable cybersecurity and cyberbreach notifications under federal and state laws, the Civil Cyber-Fraud Initiative also provides more evidence that the Biden-Harris Administration is serious about moving forward on its broader strategy to stem the recurrent waves of disruptive cyber breaches and other security incidents buffeting U.S. public and private institutions and citizens by ramping up cybersecurity regulations, oversight and enforcement against all U.S. organizations.   See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other SafeguardsMay 12, 2021 Executive Order on Improving the Nation’s CybersecurityJuly 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Federal Health Program Participating Health Care Providers And Plans. 

The DOJ Cyber-Fraud Initiative follows a similar interpretation of the Department of Health & Human Services (“HHS”) Office Inspector General (“OIG”) about the cybersecurity and cyberbreach compliance requirements health care providers and health plan issuers participating in Medicare and certain other federally funded health care programs (“Medicare Participating Providers”) are accountable to meet under the Conditions of Participation for those programs.  HHS OIG’s construction of these Conditions of Participation as including cybersecurity and cyberbreach compliance signs that Medical Participating Providers with deficient cybersecurity practices now may risk program disqualification and False Claims Act liability along with their already well-known exposure to civil monetary penalties under the Health Insurance Portability & Accountability Act (“HIPAA”) protected health information privacy, security and data breach rules.

Health & Other Employee Benefit Plans. 

Health plans and other employee benefit plans, their fiduciaries, record keepers and service providers also face growing cybersecurity responsibilities and risks.  While HHS Office of Civil Rights (“OCR”) continues to clarify and expand its interpretation, investigation and enforcement of HIPAA privacy, security and data breach rules against health plans, health care providers, health care clearinghouses and their business associates, the Department of Labor Employee Benefit Security Administration is turning up the heat on employee benefit plan fiduciaries to prudently protect their employee benefit plan assets and participants against cyberthreats.

On April 14, 2021, the Department of Labor Employee Benefit Security Administration (“EBSA”) made official its interpretation of the duty of prudence applicable to employee benefit plan fiduciaries under Section 404 of the Employee Retirement Income Security Act (“ERISA”) includes a duty for ERISA-covered employee benefit plan fiduciaries to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. The April 14 announcement makes official EBSA’s interpretation of the duty of prudence applicable to fiduciaries of ERISA-covered employee benefit plans as extending to a duty to act prudently to safeguard plan assets and plan participants against cybersecurity threats.

Concern about cyberthreats to private employee benefit plans covered by ERISA, their participants and beneficiaries has soared as massive data breaches  Federal Thrift Savings PlanAnthemCapital One,  the Public Employees Retirement Association of New Mexico and other employee benefit plans, their vendors and service providers increasingly have impacted millions of employee benefit plans, their accounts and participants.

While Congress chose to subject health plans to the detailed health privacy, security and breach rules of HIPAA and financial and certain other employee benefit plan service providers to consumer financial disclosure and data information security requirements of laws like Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and even employers and others conducting background and other credit checks to the  Fair Credit Reporting Act, growing awareness of the cyberthreat to employee benefits has not prompted Congress to date to extend those laws or otherwise to enact express statutory requirements for employee benefit plans and their fiduciaries.  However, private litigants and others increasingly have speculated that a fiduciary duty to safeguard plan asset against cyberthreats might be subsumed in the obligation of fiduciaries under Section 404 of ERISA at all times to act with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” See, e.g., See Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management.

While EBSA has worked to formulate its recently announced positions, private litigants increasingly have begun debating the applicability and effect of ERISA on cyberbreaches involving ERISA regulated plans.  See e.g., In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2015 WL 7443779, at *1 (N.D. Cal. Nov. 24, 2015)(holding Anthem entitled under ERISA to remove claims to federal court and refusing employee benefit plan participants’ motion to remand to state court state claims arising from data breach); In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016)(refusing to dismiss participant claims against non-Anthem defendants for lack of standing), motion reconsideration denied In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2016 WL 324386 (N.D. Cal. Jan. 27, 2016); Bartnett v. Abbott Lab’ys, No. 20-CV-02127, 2021 WL 428820, at *5 (N.D. Ill. Feb. 8, 2021) (dismissing breach of fiduciary duty claim based on inadequate evidence); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *21 (D. Or. Feb. 9, 2017). While mostly unsuccessful to date for procedural or factual sufficiency reasons, the preemption issues argued in many of these cases support concerns that under the proper circumstances ERISA could apply to breaches involving plans or their participants.  As these and other actions continue to wind their way through the courts, EBSA also has begun to acknowledge that ERISA plan fiduciaries duties of prudence include cybersecurity responsibilities.

EBSA’s first official recognition of a cybersecurity responsibility by plan fiduciaries appears in the Default Electronic Disclosure by Employee Pension Benefit Plans Under ERISA Final Rule (the “Electronic Disclosure Rule”), which took effect July 27, 2020 . In the discussion of its requirements regarding website-based electronic disclosures in Subpart (e)(3), the Electronic Disclosure Rule requires that “[T]he administrator must take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.”  Similarly, the requirements for using e-mail to provide electronic disclosures in Subsection (k)(4) of the Electronic Disclosure Rule require the plan administrator to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.”  While recognizing these cyber security responsibilities in the Electronic Disclosure Rule, however,  EBSA explained in the Preamble to the Electronic Disclosure Rule that it decided not to include more cumbersome cybersecurity requirements in the Electronic Disclosure Rule out of concern over the cost and other burdens of such requirements.  Nevertheless, the Electronic Disclosure Rule imposed a responsibility by plan fiduciaries of employee benefit plans making electronic disclosures to ensure that electronic recordkeeping systems have in place reasonable controls, adequate records management practice, and other measures calculated to protect Personally Identifiable Information.

EBSA’s April 14, 2021 reflects EBSA now views the fiduciary responsibilities of ERISA-covered employee benefit plan fiduciaries generally as including the responsibility to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. Beyond acknowledging a duty to take prudent steps to protect plans assets and participants against internal and external cybersecurity threats, EBSA also shared the following three resources to help plan sponsors, fiduciaries and participants to safeguard benefit plans and personal information against emerging cyber threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.

Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.

Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss

Participants in Securities Markets, Market Infrastructure Providers & Vendors. 

Meanwhile the Securities and Exchange Commission (“SEC”) also has made clear its expectation that all firms participating in the securities markets, market infrastructure providers and vendors will appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency. Consistent with the shared understanding of best cybersecurity practices shared with the agencies, the SEC guidance makes clear its market involved and impacting regulated entities are accountable for maintaining and enforcing appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention,mobile security, incident response and resiliency, vendor management, training and awareness and other practices.  See  SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations.  Recently announced enforcement actions demonstrate that the SEC is acting on its promise to go after SEC regulated entities that breach these expectations.  See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

These and other recently announced federal regulatory and enforcement developments send a clear message to businesses and their leadership, employee benefit plan sponsors, fiduciaries, record keepers and other vendors, SEC securities market involved organizations and others to clean up their cybersecurity compliance and risk management.  Beyond the governmental enforcement risks these developments signal, these and other emerging regulatory developments provide added fuel for the already substantial private litigant and government complaints, investigations and prosecutions against businesses, their leaders, their employee benefit plan fiduciaries, record keepers and other service providers,and others.   and their leaders unable to defend the adequacy of their cybersecurity related practices.

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

In the face of these developments, all businesses, employee benefit plan fiduciaries, their employer and other sponsors, record keepers and other vendors and their leaders should prioritize cybersecurity compliance, risk management, oversight and controls.  As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen  cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures.  In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources,  government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis.  Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations.  As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts.  Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification,  insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public employer, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.

Posted in Uncategorized | Leave a comment

DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards


Federal government contractors and grant recipients should tighten cyber security policies, practices and internal controls to mitigate their exposure to civil False Claims Act claims by the Department of Justice (“DOJ”) under a new DOJ Civil Cyber-Fraud Initiative announced by DOJ last week.  The new initiative adds False Claims Act civil liability to the already substantial civil liability that government contractors and other businesses already face for failing to comply with applicable cyber security and cyber breach notifications under federal and state laws.  In the face of these added liabilities, federal contractors and grant recipients should act quickly to audit their cyber security and cyber breach practices, tighten cyber security and breach detection;  oversight, credentialing and controls over employees, contractors and others with access to facilities and systems and take other appropriate action to prevent and remediate compliance deficiencies and risks.

Federal Government Contractors Bear Cybersecurity Responsibilities 

Federal government contractors can face cyber security and breach responsibilities under a myriad of federal laws, regulations and contracting standards which are incorporated into their government contracts as part of conditions for participation in the applicable contract or program. For example,  businesses that sell products to the U.S. government generally are required to comply with 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI) set forth in FAR 52.202.21.  Companies that produce products used by the Department of Defense (DoD) may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).  DFARS 252.204-7012 requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps.  DFARS 252.204-7019 (interim) requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS).  DFARS 252.204-7020 (interim) requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA) and requires contractors roll requirements down to subcontractors.  Meanwhile, DFARS 252.204-7021 (interim) governs the rollout of the Cybersecurity Maturity Model Certification program over 5 years.  These requirements are in addition to any cyber security or cyber breach requirements otherwise applicable to government contractors or grant recipients under laws such as the Fair & Accurate Credit Transactions Act (“FACTA”) that also might apply to other businesses that do not do business with the federal government.

New DOJ Civil Cyber-Fraud Initiative Against Government Contractors Heightens Enforcement & Liability Risks

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section.

According to the DOJ announcement, DOJ expects the initiative to:

  • Build broad resiliency against cyber security intrusions across the government, the public sector and key industry partners.
  • Hold contractors and grantees to their commitments to protect government information and infrastructure.
  • Support government experts’ efforts to timely identify, create and publicize patches for vulnerabilities in commonly used information technology products and services.
  • Ensure that companies that follow the rules and invest in meeting cyber security requirements are not at a competitive disadvantage.
  • Reimburse the government and the taxpayers for the losses incurred when companies fail to satisfy their cyber security obligations.
  • Improve overall cyber security practices that will benefit the government, private users and the American public.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients.  According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches.

The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.   The DOJ’s Civil Cyber-Fraud Initiative does not create new cyber security and cyber breach obligations to promote these goals.  Rather, it piggybacks on already existing federal mandates by adding False Claims Act civil liability to the already substantial civil liability that government contractors and grant recipients already risk for failing to maintain and administer their data security and data breach practices in accordance with applicable federal laws. Under the new Civil Cyber-Fraud Initiative, DOJ has signaled it intends to include compliance with applicable cyber security and cyber breach reporting requirements applicable to contractors as part of the obligations of government contractors and grant recipients to comply with applicable law as a condition of eligibility to participate in federal programs and receive federal funds.  Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Companies and individuals found to have violated the False Claims Act generally are liable for treble damages plus a penalty that is linked to inflation. In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows private citizens to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government.  Private citizens who successfully bring qui tam actions may receive a portion of the government’s recovery.  Many DOJ Fraud Section investigations and lawsuits arise from such qui tam actions and result in often large recoveries by DOJ and the reporting whistleblowers.  As a result of availability of whistleblower recoveries, government contractors should anticipate that disgruntled employees, contractors, or others with whom they do business with knowledge of data breaches or other cybersecurity weaknesses may be incentivized to act as whistleblowers.

Cyber Risks Already Substantial Cyber Risks

The False Claims Act exposure under the new DOJ Civil Cyber-Security initiative adds to the already substantial and mounting risks that government contractors already face under an ever-expanding tapestry of federal, state and in some instances, international statutes, regulations and rulings.

Along with any exposures specifically applicable to it as a government contractor, depending on the nature of the business and the data it collects, the business also likely falls subject to duties to safeguard the confidentiality and security of wide range of electronic or other personal financial, tax and other data under various federal and state laws such as FACTA, the Internal Revenue Code, the Health Insurance Portability & Accountability Act (HIPAA), state identity theft, and a host of other statutes and regulations, contractual agreements, or both.

Due to the nature of their activities and involvements, some of the most significant of these obligations may arise from electronic crime related provisions of the Criminal Code of the United States, which by virtue of their criminal nature trigger potential organizational compliance program responsibilities under the U.S. Sentencing Commission Organizational Guidelines for government contractors and other covered entities such as 18 U.S. Code § 1028 – Fraud and related activity in connection with identification documents, authentication features, and information18 U.S.C. § 1029.  Fraud and Related Activity in Connection with Access Devices; and 18 U.S.C. § 1030.  Fraud and Related Activity in Connection with Computers.

However, government contractors also can face cybersecurity responsibilities, breach notification and other obligations and liabilities under a wide range of other civil laws and regulations.  For instance, FACTA generally requires covered entities that collect or use certain personal financial information to conduct due diligence, monitor the security of records and adopt disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report.  As implemented by the Federal Trade Commission regulations, entities with covered accounts must develop and implement written identity theft prevention programs designed to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

Beyond these federal obligations, government contractors, like other businesses, also typically are exposed to liability under a wide variety of cyber security, cyber breach notification and other obligations and liabilities under state laws, regulations and common law. See, e.g. here.  While the particulars vary based on the state, the nature of the business, where and how the business collects and maintains its data and other factors, the applicable state electronic confidentiality and data security requirements in most states and under some federal laws increasingly include express duties to take steps to protect data, to monitor from breaches and other threats, and/or to notify subjects of the breached data and in some cases, regulators and the public within a short period after a breach happens. Businesses operating in multiple states typically faces exposure under the laws of each jurisdiction where it operates with data impacted by the breach.

Because cyber security events increasingly create business and financial losses, investigation and defense costs, penalties and other liabilities and costs, cyber security breaches and other events also increasingly that fuel shareholder disclosure obligations and shareholder lawsuits.  Indeed, former Securities and Exchange Commission  Chair Mary Jo White in May, 2016 characterized cyber security as the biggest risk facing the financial system   See here.  In response to investor risks from cyber security events, the SEC has required regulated entities to make disclosures about these risks to investors since 2011.      See  CF Disclosure Guidance: Topic No. 2 – Cybersecurity.   Given this guidance, it should come as no surprise that the SEC has imposed substantial fines against entities following a breach.  See  e.g. R.T. Jones reaches settlement with SEC in data breach case;  Morgan Stanley Fined $1 Million for Client Data Breach.

Act To Manage Compliance & Risks

In the face of these added liabilities, federal contractors and grant recipients should act quickly to work with qualified legal counsel within the scope of attorney-client privilege to audit the adequacy of their existing cyber security and cyber breach practices under applicable federal statutes and contracts and other relevant laws and regulations as well as to confirm that adequate breach notification has been made for any existing or past breaches. To the extent that the audit uncovers any potential deficiencies in prior breach notification or other compliance, the federal contractor or grant recipient general will want to seek guidance from legal counsel regarding the advisable steps, if any, to take to mitigate and resolve outstanding liabilities, particularly in light of whistleblower liabilities.  In addition to examining past and current compliance risks, government contractors and grant recipients also will want to explore advisable steps and documentation that will position their organizations to demonstrate their appropriate monitoring and maintenance of ongoing compliance or otherwise strengthen their defenses against potential cyber breaches as well as whistleblower and retaliation claims arising from employees or others seeking to use these exposures as leverage for settlements or claims.  Given the potential magnitude of the liability, businesses generally not only need to take well documented steps properly  to safeguard sensitive electronic sensitive  personal information and systems holding or using it as well as be prepared to promptly provide notice in the event of any breach with the short time contemplated by law.

As part of these efforts, businesses and their leaders will want to ensure their compliance efforts include both adoption of all required formal policies, appropriate credentialing of employees, contractors and others accessing systems or facilities, well documented operational compliance and risk audits, documented risk assessment and response, compliance hotline reporting and investigation, suitable up-the-ladder reporting, and other appropriate procedures to facilitate rapid identification of potential concerns and other operational compliance. 

Effective internal and external workforce credentialing, training, management and oversight are key to the success of these efforts, particularly because cyber breaches and other data threats often leverage internal access created by workforce infiltration, susceptibilities created by social engineering or other opportunities created from lax workforce or contractor compliance with security controls or both.  See, e.g., Insider threat: The human element of cyberrisk.

Effective internal monitoring and reporting protocols also are essential to ensure rapid breach identification, investigation and notification.  These protocols also should be developed and implemented to ensure timely disclosure and management of any breaches within required time frames. 

In recognition of the typically high financial and operational costs of breach investigation, notification and defense, organizations also should weigh the advisability of securing and requiring business partners to secure cyber insurance or other protection to help mitigate these costs in the event of a cyber event.

While the conduct of these assessments inevitably will require the involvement of outside consulting services, business leaders also are cautioned to use care to take appropriate steps to protect these interactions by arranging to engage these services pursuant to attorney-client privilege to help shield sensitive information likely to be uncovered through compliance, risk management or investigation activities.  Likewise, given the short time allowed for breach mitigation and notification, businesses should weigh carefully whether to engage regulatory counsel  to assist with the initial breach notification and mitigation, separate and apart from cyber litigation defense counsel that might be available under applicable cyber insurance policies unless the proposed litigation defense counsel has proven cyber and other regulatory knowledge, experience and qualifications handling breach mitigation and notification events.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.  

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.  

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively on pandemic, business and other crisis planning, preparedness and response for more than 30 years.

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.  Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.  As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.  

This  involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve  sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology,  data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care;  internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement;  and other strategic and operational concerns.  

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.  

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.  

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE:   These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.  Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.  Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2020 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.

Posted in bank secrecy act, Board of Directors, Compliance, Cyber, data breach, Director Liability, Fair Debt Collection Practices Act, Fair Debt Collections Act, Fraud, Government Contractor, Internal Controls, Labor Relations, Leadership, Officers, Officers Liability, patriot act, Performance Management, Privacy, Privacy, Uncategorized | Leave a comment

Baseball Lesson on Servant Leadership & Teamwork


A lesson in servant leadership and teamwork provides invaluable insights on building and perpetuating great teams and servant leaders.

At a fundraising dinner for a school that serves children with learning disabilities, the father of one of the students delivered a speech that would never be forgotten by all who attended. After extolling the school and its dedicated staff, he offered a question:

‘When not interfered with by outside influences, everything nature does is done with perfection.

Yet my son, Shay, cannot learn things as other children do. He cannot understand things as other children do.

Where is the natural order of things in my son?’
The audience was stilled by the query.

The father continued. ‘I believe that when a child like Shay, who was mentally and physically disabled comes into the world, an opportunity to realize true human nature presents itself, and it comes in the way other people treat that child.’

Then he told the following story:

Shay and I had walked past a park where some boys Shay knew were playing baseball. Shay asked, ‘Do you think they’ll let me play?’ I knew that most of the boys would not want someone like Shay on their team, but as a father I also understood that if my son were allowed to play, it would give him a much-needed sense of belonging and some confidence to be accepted by others in spite of his handicaps.

I approached one of the boys on the field and asked (not expecting much) if Shay could play. The boy looked around for guidance and said, ‘We’re losing by six runs and the game is in the eighth inning. I guess he can be on our team and we’ll try to put him in to bat in the ninth inning..’

Shay struggled over to the team’s bench and, with a broad smile, put on a team shirt.. I watched with a small tear in my eye and warmth in my heart. The boys saw my joy at my son being accepted.

In the bottom of the eighth inning, Shay’s team scored a few runs but was still behind by three.

In top of the ninth inning, Shay put on a glove and played in the right field. Even though no hits came his way, he was obviously ecstatic just to be in the game and on the field, grinning from ear to ear as I waved to him from the stands.

In the bottom of the ninth inning, Shay’s team scored again. Now, with two outs and the bases loaded, the potential winning run was on base and Shay was scheduled to be next at bat.

At this juncture, do they let Shay bat and give away their chance to win the game? Surprisingly, Shay was given the bat. Everyone knew that a hit was all but impossible because Shay didn’t even know how to hold the bat properly, much less connect with the ball.

However, as Shay stepped up to the plate, the pitcher, recognizing that the other team was putting winning aside for this moment in Shay’s life, moved in a few steps to lob the ball in softly so Shay could at least make contact.

The first pitch came and Shay swung clumsily and missed. The pitcher again took a few steps forward to toss the ball softly towards Shay. Athe pitch came in, Shay swung at the ball and hit a slow ground ball right back to the pitcher.

The game would now be over. The pitcher picked up the soft grounder and could have easily thrown the ball to the first baseman. Shay would have been out and that would have been the end of the game.

Instead, the pitcher threw the ball right over the first baseman’s head, out of reach of all team mates.
Everyone from the stands and both teams started yelling, ‘Shay, run to first!

Never in his life had Shay ever run that far, but he made it to first base. He scampered down the baseline, wide-eyed and startled.

Everyone yelled, ‘Run to second, run to second!’

Catching his breath, Shay awkwardly ran towards second, gleaming and struggling to make it to the base.

By time Shay rounded towards second base, the right fielder had the ball. The smallest guy on their team who now had his first chance to be the hero for his team.

He could have thrown the ball to the second-baseman for the tag, but he understood the pitcher’s intentions so he, too, intentionally threw the ball high and far over the third-baseman’s head.

Shay ran toward third base deliriously as the runners ahead of him circled the bases toward home. All were screaming, ‘Shay, Shay, Shay, all the Way Shay’

Shay reached third base because the opposing shortstop ran to help him by turning him in the direction of third base, and shouted, ‘Run to third!

As Shay rounded third, the boys from both teams, and the spectators, were on their feet screaming, ‘Shay, run home! Run home!’

Shay ran to home, stepped on the plate, and was cheered as the hero who hit the grand slam and won the game for his team

‘That day’, said the father softly with tears now rolling down his face, ‘the boys from both teams helped bring a piece of true love and humanity into this world’.

Shay didn’t make it to another summer. He died that winter, having never forgotten being the hero and making me so happy, and coming home and seeing his Mother tearfully embrace her little hero of the day!
We all have thousands of opportunities every single day to help realize the ‘natural order of things.’ So many seemingly trivial interactions between two people present us with a choice:

Do we pass along a little spark of love and humanity or do we pass up those opportunities and leave the world a little bit colder in the process?

A wise man once said every society is judged by how it treats it’s least fortunate amongst them.

May your day, be a Shay Day and your team be filled with servant leaders like these.

Posted in Employment, Internal Controls, Leadership, management, Performance Management, servant leadership, Workforce, Workforce Management | Tagged | Leave a comment

Latest Texas Supreme Court COVID-19 Emergency Relief Related Orders Address Jury Trial and Tenant Eviction Rules During COVID Emergency


Texas attorneys and their clients should take note of two two new Texas Supreme Court COVID-19 pandemic related emergency orders issued this week:

  • The 29th Emergency Order extends a previous court order outlining limitations on jury trials to February 1 from December 1 while continuing to require courts to use all reasonable efforts to hold proceedings remotely and to follow the OCA’s Guidance for all Court Proceedings;
  • The 28th Emergency Order extends deadlines for procedures for tenants to apply for the Texas Eviction Diversion Program, a statewide assistance program intended to help tenants behind on rent avoid evictions. Learn more about the Texas Eviction Diversion Program at txcourts.gov/eviction-diversion

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website  and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2020 Solutions Law Press, Inc. All rights reserved.

Posted in Uncategorized | Tagged | Leave a comment

College Board Antitrust Settlement Warning To Other Associations About Anti-Competitive Policies & Practices


The National Association for College Admission Counseling and its member organizations (“NACAC”) will eliminate and no longer enforce a series of requirements historically limiting the ability of colleges and universities (“colleges”) to compete for the recruitment of first-year and transfer students long included in the NACAC’s Code of Ethics and Professional Practices ( “Ethics Rules”) under a proposed agreement reached with the Justice Department to settle a civil antitrust lawsuit that charged the NACAC and its members with violating the antitrust rules.  Along with eliminating barriers that previously limited competition among colleges for new and transfer students, the lawsuit and its settlement provide an important reminder to other associations and their members about the need to ensure contracts, codes of conduct or other policies or practices don’t improperly fix prices or bids, allocate market share or otherwise restrict or prohibit competition among competitors.

The proposed settlement agreement, which will require federal court approval, seeks to resolve a federal civil antitrust lawsuit the Justice Department filed on November 16, 2019, which charged the NACAC and its member organizations with violating Title I of the Sherman Act by illegally conspiring to restrain and restraining competition for the recruitment and retention of college students among its members.  The leading trade association for college admissions, the NACAC generally includes two types of members:  (1) non-profit colleges and their admissions personnel and (2) high schools and their guidance counselors.

According to the civil antitrust complaint,  the Justice Department filed on November 16, 2019, NACAC’s college members compete vigorously for both incoming college students and transfer students in college tuition cost, majors offered, ease and cost of applications, campus amenities, educational quality, institutional reputation, employment prospects post-graduation and other college students.  While acknowledging this competition among the academic institutions, the Justice Department charged that mandatory rules included in the NACAC’s Ethics Code illegally prevented or severely limited competition among member colleges by restricting the colleges from (1) directly recruiting transfer students from another college, (2) offering incentives of any kind to college applicants who applied via a process known as Early Decision, and (3) recruiting incoming college freshmen after May 1 (together, “Recruiting Rules”).  The complaint charged these Recruiting Rules were horizontal agreements to restrict competition among the schools participating in NACAC that improperly denied American college applicants and potential transfer students access to competitive financial aid packages and benefits and restricted their opportunities to move between colleges. Even though the NCACA members voted to remove the challenged rules from the Ethics Rules in September, 2019, the Justice Department charged the NACAC and its members with illegal restraint of trade in violation of Section 1 of the Sherman Act and asked the court to restrain the NACAC and its members

Under the proposed settlement agreement which will require the approval of the District of Colombia, the NACAC does not admit liability but agrees among other things:

  • To abolish, and not to attempt to establish, maintain, or enforce any Early Decision Incentives Rule, Transfer Student Recruiting Rule, or First-Year Undergraduate Recruiting Rule
  • Appoint an Antitrust Compliance Officer to oversee and report on compliance to the Justice Department;
  • Communicate the rule changes to members and students;
  • Maintain compliance with the settlement agreement requirements; and
  • Submit to continuing inspection and oversight for compliance.

In addition to the expected benefits that the Justice Department expects college students to realize from the rule change accomplished from the litigation and settlement, the litigation and settlement also provides another reminder to associations and other organizations about the potential perils of seeking to establish, implement or enforce rules or other anticompetitive arrangements among competitors.  Trade and other associations and their members, as well as other businesses should take appropriate steps to assess their existing contractual, ethical and other arrangements and agreements to ensure they avoid engaging in similarly risky practices.

For More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications focusing on internal controls and other performance. risk and compliance and operations management.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care, employee benefit, insurance and financial services, professional and trade associations and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

Author of leading works corporate compliance, governance, internal controls and other concerns, her work includes risk management and compliance counseling and audits, event investigation and redress, representation before regulatory and other bodies; statutory, regulatory and policy advocacy and other assistance to business and government clients. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 

 

Posted in antitrust, Compliance, Internal Controls, Uncategorized | Leave a comment

Live Nation & Radio Music License Committee Targeted In Justice Department Antitrust Activity


The Department of Justice’s Antitrust Division is asking a Federal Court to modify a previous 2019 antitrust judgement in United States v. Ticketmaster Entertainment, Inc., et al., Case No. 1:10-cv-00139-RMC (July 30, 2010)(the “2010 Final Judgement”) to modify and clarify the order to end what the Justice Department charges are recurrent and continuing violations of the 2010 Final Judgment by Live Nation. One of two high profile antitrust enforcement actions impacting the music industry taken by the Justice Department in the same month, the action against Ticketmaster is characterized by the Justice Department as “the most significant enforcement action of an existing antitrust decree by the Department in 20 years” seeks to modify the 2010 Final Judgement so ticket holders and others will get the full benefit of the 2010 Final Judgement.

The 2010 Final Judgment resulted from antitrust litigation over the then proposed merger between Live Nation and Ticketmaster. Headquartered in Beverly Hills, California, Live Nation claims to be the largest live entertainment company in the world, active in three principal segments: concert promotion, ticketing services, and sponsorship & advertising. In 2018, Live Nation’s revenues were approximately $10.8 billion. Ticketmaster is a wholly-owned subsidiary of Live Nation following their merger in 2010. It claims to be the world’s leading live entertainment ticketing sales and entertainment company. In 2018, Ticketmaster’s revenues were approximately $1.5 billion.

The 2010 Final Judgement allowed Live Nation to merge with Ticketmaster subject to its compliance with certain conditions intended to prevent the merged operations from using their market power to control the concert and ticket marketplace such as prohibiting the merged company from retaliating against concert venues for using another ticketing company, threatening concert venues, or undertaking other specified actions against concert venues for ten years. While these and other conditions in the 2010 Final Judgement were supposed to prevent Live Nation from using its market dominance to unfairly control the market for tickets and ticket sales to the detriment of ticket purchasers, venues, artists and others, the Justice Department now charges Live Nation with recurrently repeatedly and over the course of several years violating the 2010 Final Judgement by retaliating against venues for using other ticketing agencies and other improper conduct in violation of the 2010 Final Judgment.

As part of a pre-agreed arrangement with Live Nation to resolve the compliance issues, the Justice Department on December 19 filed a motion in the U.S. District Court for the District of Columbia to reopen the docket in the underlying action, a necessary step towards filing the petition to clarify and extend the 2010 Final Judgment for an additional five and a half years beyond its scheduled expiration date.  According to the Justice Department, once the court approves the petition for leave to amend the 2010 Final Judgement, the Justice Department intends to file a petition asking the Court to modify the 2010 Final Judgment to order Live Nation to stop violating the 2010 Final Order and clarify its responsibilities going forward by among other things, extending the term of the Final Judgment by five and a half years, to allow concert venues and American consumers to get the benefit of the relief the Department bargained for in the original settlement and impose other conditions to help deter additional violations and allow for easier detection and enforcement if future violations occur. The proposed additions will include providing:

  • Live Nation may not threaten to withhold concerts from a venue if the venue chooses a ticketer other than Ticketmaster;
  • A threat by Live Nation to withhold any concerts because a venue chooses another ticketer is a violation of the Final Judgment;
  • Withholding any concerts in response to a venue choosing a ticketer other than Ticketmaster is a violation by Live Nation of the Final Judgment;
  • The Antitrust Division will appoint an independent monitor to investigate and report on Live Nation’s compliance with the Final Judgment;
  • Live Nation will appoint an internal antitrust compliance officer and conduct regular internal training to ensure its employees fully comply with the Final Judgment;
  • Live Nation will provide notice to current or potential venue customers of its ticketing services of the clarified and extended Final Judgment; and
  • Live Nation is subject to an automatic penalty of $1,000,000 for each violation of the Final Judgment.
  • Live Nation will pay costs and fees for the Department’s investigation and enforcement.

The Justice Department’s action against Ticketmaster follows its intervention earlier in December in an antitrust lawsuit in which the mega performer rights organization Global Music Rights, LLC (“GMR”) and Radio Music License Committee, Inc. each accuse each other of operating an illegal cartel in violation of the Sherman Act in their respective actions in negotiating the bundled sale and purchase of licenses to play music over the radio airwaves.

Global Music Rights, LLC (“GMO” is a performing rights organization (“PRO”) that aggregates the performing rights of various songwriters and markets and sells performing rights to their works on a bundled basis to radio stations and others. Meanwhile, Radio Music License Committee, Inc.is an entity that aggregates and negotiates on behalf of radio stations and other license buyers .

On December 5, 2019, the Justice Department intervened in the Global Music Rights, LLC v. Radio Music License Committee, Inc., et al.:litigation by filing a Statement of Interest of the United States (12/05/2019)., where FMR and RML each accuses the other of acting as an illegal cartel and restraining trade in violation of federal antitrust law. Title I of the Sherman Act prohibits restraints and conspiracies to restrain trade or commerce in the United States. In its Statement, the Justice Department sides with FRM in arguing that RML improperly interprets the Sherman Act as only prohibiting sellers, and not buyers, from conspiring or entering into agreements to fix prices or engage in other restraints on trade as well as rejects as incorrect RML’s claim that FMR must prove RML intended to violate the Sherman Act and that the restraint was “unreasonable.” In expressing its opposition to these interpretations by RML, the Justice Department argues in its Statement of Interest that the Sherman Act applies equally to agreements among buyers and agreements among sellers to restrain trade and further, that a plaintiff establishes a prima facia price fixing claim under Title I of the Sherman Act simply by pleading that the defendant was a party to an agreement between two or more competitors to fix prices regardless of the intent of the parties or the unreasonableness of the agreement and its effect on prices or other commerce.

Aside from their implications for music lovers and artists, these two recent antitrust actions reflect the increasing antitrust enforcement emphasis of the Justice Department over the past year and discuss principles and issues relevant to a broad range of industries and circumstances including particularly aggressive enforcement against agreements no to solicit or hire and other market control agreements among competitors . Businesses of all types should take note of these developments and stay tuned for developments that could impact on their industries or practices.

More Information

We hope this update is helpful. For more information about this or other labor and employment developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications focusing on internal controls and other performance. risk and compliance and operations management.

Scribe for the ABA JCEB Annual Agency Meeting with OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care, employee benefit, insurance and financial services, business, trade and professional associations and groups,  and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns.

Author of leading works on a multitude of governance, internal controls, workforce and performance management and a host of other related compliance, risk management and regulatory and governmental enforcement and policy concerns, her work includes risk management and compliance counseling and audits, event investigation and redress, representation before regulatory and other bodies; statutory, regulatory and policy advocacy and other assistance to business and government clients. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc. disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2019 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

 

Posted in antitrust, Compliance, Cyber, Data Security, Fair Debt Collection Practices Act, Fair Debt Collections Act, Fraud, Internal Controls, marketing, Privacy, Risk Management, Uncategorized | Tagged , , , , , , | Leave a comment