Johnson, Bunce & Noble, P.C.
  • Home
  • Our Firm
    • History
    • Vision and Mission
    • Testimonials
  • Attorneys
    • Frederick A. Johnson
    • James P. Johnson
    • James F. Kane
    • William W. P. Atkins
  • Practice Areas
    • Business >
      • Business Formation
      • Employment & Labor
      • General Counsel
      • Governance
      • Not for Profit
      • Sales & Acquisitions
      • Succession Planning
    • Creditors' Rights >
      • Collections
      • Evictions
    • Elder Law
    • Estate Planning & Probate >
      • Estate Administration
      • Powers of Attorney
      • Wills & Trusts
    • Financial Institutions >
      • Loan Documentation
      • Mortgage Foreclosure
      • Loan Workouts
    • Governmental Law >
      • Municipal
      • Sanitary Districts
    • Civil Litigation & Appellate
    • Real Estate >
      • Commercial
      • Development
      • Leasing
      • Residential
    • Taxation >
      • Audits & Tax Court
      • Income Tax
      • Real Estate Tax Appeals
    • Title Insurance
  • News
  • Knowledge Center
  • Contact

Cybersecurity (and Insurance) - What Attorneys Need to Know

9/25/2015

 
​While cybersecurity has been an issue for as long as computer and networks have existed, the concerns business owners have are on the rise due to the substantial media coverage of data breaches. It seems that every week, another business is a victim of a cyber attack.  Since almost all states now have breach notification provisions, such as the Illinois Personal Information Protection Act, 815 ILCS 530/1, et. seq., business reputation risk is more prevalent now more than ever.

​Two leading cybersecurity studies, Symantec and Verizon (both available for a free download from their respective websites, www.symantec.com and www.verizonenterprise.com),are filled with important information pertaining to the most common cyber threats and trends.  The Verizon study indicates that the “average loss for a breach of 1,000 records is between $52,000 and $87,000.”  Verizon Enterprise Solutions 2015 Data Breach Investigations Report, page 29.

​The Symantec report also presents interesting information.  “Last year, 60 percent of all targeted attacks struck small- and mid-sized organizations.”  Symantec Internet Security Threat Report, April 2015, Volume 20, page 6.  Further, “[f]ive out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year.” Id. at pg. 7.  With the growing connectivity of the “Internet of Things,”which include those devices which may not be computers in the traditional sense, but are nevertheless connected to the internet/network – think of your smart home, the threat will only increase over time.  Therefore, business attorneys must possess basic knowledge of the issues involved and the ways to mitigate threats.

One such way to mitigate risk is use of cyber insurance.  Because most attorneys likely will not have any understanding of what cyber insurance is or what it covers, this article is intended to be a basic overview of what to look at when approached about cyber insurance.

​Cyber insurance is generally offered to businesses to cover losses caused by data theft or loss, network intrusions, information-security breaches and lost income due to system downtime. It is available for first-party losses (the business’s own personal data, damage to the business, e.g.) and third-party losses (liability to third parties that the policy holder may have, e.g.).  Policies vary by company, so an understanding of what is covered, what is not covered, and when coverage is negated is important.

​When approached by a client with a question pertaining to cyber insurance, you should first identify your client’s major risks.  Risk identification should be at least two-pronged: knowing the industry your client is in and knowing the connections in which people access your client’s networks.  Careful coordination with your client’s information technology department is advisable.  


​When identifying risks, it is important to understand the changing landscape of the workforce.  For example, ten years ago most employees accessed their computer from the office.

Today, many employees now work remotely, such as through a virtual network or through a mobile device.  While in-house computer connections were relatively easy to monitor, the wide array of connections and the programs which are used on those devices has become more difficult to monitor.  For example, Symantec found that 17 percent of all Android apps (nearly one million total) were actually malware in disguise.  Id. at 10.    

​Next, you should gather information on existing insurance policies and coverage.  The terms of the business’ existing policies may provide some protection.  While some coverages may be interconnected or overlap with cover from existing policies, such as business continuity, third-party supply chain issues and professional indemnity, a cybersecurity policy will specifically cover cyber issues.


​Next comes the review of the specific cyber insurance policies.  There are many companies that offer such insurance, and nearly all have different coverages, requirements, limits, and sublimits.  Common limits on coverage include breach notification costs, network/business interruption, and regulatory investigations.  Likewise, costs vary widely, so coverage limits are particularly important in this regard.  Indeed, some carriers will negotiate the size of the limits or sublimits without increasing the premium.  

​Reviewing the exclusions for each policy is likewise important.  For example, while one policy may exclude any losses as a result of unencrypted connections, some other policies may cover losses even in such circumstances.  

Likewise, some policies have exclusions for “failure to follow minimum required practices”, “phishing attacks”, “failure to be in compliance with regulatory frameworks”, etc.  Due to the ever-changing nature of connectivity, this could result in a client being covered one day and not the next.

​There are a plethora of other coverage issues that should also be considered.  These include, but are not limited to: the necessity and ability to obtain retroactive coverage, third-party acts and omissions coverage, coverage for regulatory actions, and data restoration costs.


​In terms of other things that the business attorney can do that are unrelated to insurance, the first is to evaluate existing agreement with vendors and service providers.  Consider either modifying existing agreements or having new agreements contain appropriate indemnification language for cyber concerns.  

Finally, and most important, is to advise your client to stay on top of their technology.  Many hackers (and automated servers) look for simple ways into a network.  If they can’t find an easy entry point, then they generally move on unless they are particularly interested in thetarget.  Simple security measures can help mitigate the risk of a successful attack.  

Such measures including making an inventory of authorized and unauthorized devices and connections, checking software and updating with regularity, changing passwords regularly, placing rules on passwords, implementing realistic but firm technology use policies, securing and monitoring configurations, and automated logout of computers.  

Cybersecurity is an issue that is not going away.  Attorneys must start becoming more aware of the issues involved.  In fact, the business attorney must also wonder how much longer it will be before their clients, and especially boards of directors in heavily regulated industries, will be required to take a more active role in information security.  For the answer, one only need to look as far as the banking industry, where the Federal Financial Institutions Examination Council, which includes five banking regulatory bodies, indicates that the boards will have to start overseeing the implementation of its “Cybersecurity Assessment Tool.”

Since cyber insurance is still a fairly new product, business attorneys do have the benefit of being able to learn the policies as the products mature.  Fortunately, with the cooperation of your client, your client’s information technology department, and a good broker, these immense obstacles can be overcome and your client (and client’s customers’ data) protected.  


Author:  Brian F. Johnson is an attorney and shareholder with Johnson, Bunce & Noble, P.C.  His practice areas focus in business and real estate representation.  In addition to practicing law, he holds a degree from Bradley University in Business Computer Systems.

Restrictive Covenants for Rehired Illinois Employees

9/25/2015

 

An Illinois First District case, McInnis v. OAG Motorcycle Ventures, Inc, 2015 IL App (1st)1142644, sheds light on the applicability of restrictive covenants on rehired employees.

Chris McInnis (“McInnis”) began employment with OAG Motorcycle Ventures, Inc., d/b/a city limits Harley-Davidson (“OAG”) in Palatine, Illinois, as a salesman in August 2009.  OAG was one of four Harley-Davidson dealerships which comprise the Windy City American Motor Group (“WCAMG”).  

McInnis became a top salesman before leaving OAG in October 2012 in favor of employment at Vroom Vroom, LLC, d/b/a Woodstock Harley Davidson (“Vroom”). McInnis worked at Vroom for a single day, after which he contacted OAG to request his previous job.

 

OAG agreed to re-hire McInnis on the condition that he sign a confidentiality agreement, which he signed on October 25, 2012.  The noncompetition clauses of the agreement, in part, prohibitedMcInnis from being employed by or performing work for another Harley dealership within a 25 mile radius of OAG during and for 18 months subsequent to employment, and from influencing any person or business from terminating or diminishing any existing relationship with OAG or WCAMG.

 

The consideration set forth in the confidentiality agreement was “an offer of employment with Company in an at-will employment relationship, and Employee’s exposure to Company’s and/or WCAMG’s proprietary and confidential information as its employee.”

 

McInnis was re-hired, and OAG waived the 90-day trial period that was standard for new employees before becoming eligible for benefits.

 

During his employment with OAG, McInnis had access to OAG’s customer information (names, telephone numbers, and e-mail addresses), and retained 179 names, telephone numbers, and e-mails of clients in his cell phone.

 

In May 2014, McInnis again voluntarily resigned from OAG to work for Vroom.  McInnissubsequently filed a declaratory complaint claiming the noncompetition provisions of the confidentiality agreement he signed with OAG were unenforceable due to inadequate consideration for same.  OAG filed a counterclaim against McInnis, as well as a third-party claim against Vroom, alleging, in part, that the client data retained by McInnis was confidential information.

 

The trial court denied OAG’s motion for preliminary injunction and granted Plaintiff’s motion for declaratory judgment, finding that Harley customers are typically brand-loyal, regardless of where the product is purchased.  The court also determined that the restrictive covenants imposed by the confidentiality agreement were unenforceable, citing Fifield v. Premier Dealer Services, Inc., 2013 IL App (1st) 120327, in which the court set the guideline that continuous employment for two or more years is sufficient consideration to support restrictive covenants.  In this case, McInnis was only employed by OAG for approximately eighteen (18) months; therefore, the court stated it was necessary to prove additional consideration “such as added bonus in exchange for this restrictive covenant, more sick days, some incentives, some kind of newfangled compensation” was given.  OAG asserted that its waiver of the 90-day trial period constituted additional consideration, but the court disagreed, finding that a trial period was not necessary, as McInnis had previously established himself within the company as a successful salesman.          

 

OAG appealed, arguing that the trial court erred in misinterpreting Fifield by failing to utilize afact-specific approach to the unique situation.  The First District Appellate Court disagreed, noting that in Fifield, length of employment was the only factor the court had to consider, where in this case, the trial court contemplated factors beyond the two-year employment guideline to determine if additional consideration had been given, and found none.  Because no additional consideration was given, the appellate court agreed that the restrictive covenants were unenforceable, and affirmed the trial court’s ruling.

 

The decision in this case maintained the benchmark set forth in Fifield that two years of continuous employment is necessary for employment to be adequate as the sole consideration for the imposition of restrictive covenants.  However, the court stipulated that some form of consideration in addition to employment could serve to negate the two-year requirement, but did not quantify the additional consideration requisite to do so.  The case serves as guidance to employers who are rehiring former employees and attempting to impose restrictive covenants on them.

Authors:  Brian F. Johnson is a shareholder at Johnson, Bunce & Noble, P.C.  He focuses is practice in the areas of business and real estate.  Darcie E. Curto is a paralegal in the firm and contributed greatly in the preparation of this article.    

   

    Search a legal issue

    Categories

    All
    Business
    Elder Law
    Employment
    Estate/Probate
    Litigation
    Tax

    Archives

    January 2016
    September 2015
    July 2015


    RSS Feed

 Copyright 2013-2019 - Johnson, Bunce & Noble, P.C. - All rights reserved    
Disclaimer | Privacy Policy | Intranet | Advertising Material 
Live Chat ×

Connecting

You: ::content::
::agent_name:: ::content::
::content::
::content::