Articles Posted by Insights

Lessons Learned from Target’s Data Breach Settlement

Published on: June 15, 2017 | by Eric B. Levine

By now, most people are familiar with the 2013 data breach reported by Target. Described as one of the largest data breaches in U.S. history, Target acknowledged that hackers gained access to credit card and debit card data from up to 40 million of its customers. In the time since the breach, much attention has been given to its aftermath and what impact it would have on the future of cybersecurity. That future appears to have arrived, at least in part, with the announcement of a record-setting settlement between Target and forty-seven states, as well as the District of Columbia.

Under the settlement agreement, Target will pay $18.5 million to the participating states, which is in addition to $10 million that Target has already paid to consumers in a settlement of a private class action lawsuit and $39 million Target paid to several banks that serviced MasterCards used by Target’s customers. Yet, the settlement is noteworthy for several reasons beyond the staggering financial component, and the implications that are left behind offer some useful guidance for companies hoping to avoid suffering a similar fate to Target’s.

First, anyone looking for direction on how to structure their own company’s internal cybersecurity protocols and defenses in a way that would ostensibly comply with the standards acceptable to their respective state’s Attorney General can now look to the settlement agreement as a model (except if you live in Alabama, which did not participate in the settlement as it lacks a state data breach notification law, or Wisconsin or Wyoming, which chose to not participate in the settlement). While the settlement is not binding on anyone but Target, it represents a joint effort by nearly every state’s Attorneys General to insure future cyber-breaches of the same magnitude as Target’s do not occur. This means that it is likely a strong indicator of what state enforcement agencies are going to look for in future investigations when determining if a company had proper cybersecurity safeguards in place. For instance, the agreement mandates that Target implement corrective measures such as maintaining appropriate encryption policies, implement password rotation policies and two factor authentication and even segmenting cardholder data from the rest of Target’s computer network. Incorporating such protections into your company’s cybersecurity and data privacy protocols is a sound practice and now appears to be one that carries at least some unofficial governmental approval.

Executive Order to Bolster New Jersey’s Cyber Security

Published on: June 6, 2017 | by Robert W. Anderson

On June 1, 2017, New Jersey Governor Chris Christie signed Executive Order 225 directing NJ’s Chief Technology Officer to set in motion actions to deliver a more secure, efficient, and reliable information technology platform and services across the Executive Branch.

Previously, each state department and agency oversaw its own information technology services, software and hardware integration. Under the new Executive Order, the Chief Technology Officer of the State of New Jersey is granted broad authority to oversee and integrate the hardware, software, and other information technologies used by departments and agencies within the Executive Branch. In speaking to the Chief Technology Officer at the signing of the Executive Order, Chris Christie stated:

“This is a big day in changing state government. To take away that authority and personnel from every one of the state departments and agencies and put it in your hands is a sea change in the way government is managed given how integral information technology is to the everyday operation of government. This is about a common-sense approach to taking us to a new level in terms of our information technology, and what we know is our customers, the 8.9 million people of the State of New Jersey are going to demand we do it.”

Understanding New Jersey’s Child Custody Arrangements

Published on: June 5, 2017 | by James McGlew, II

In New Jersey, there are two basic concepts of child custody. The more familiar concept is “physical” custody which refers to where and with whom the child will live. When parents share “joint physical” custody, the child lives with each parent for a certain amount of time during the year. A parent with whom the child spends most of their time is designated as the Parent of Primary Residence (“PPR”) or the primary caretaker. The parent with whom the child has time-sharing is designated as the Parent of Alternate Residence (“PAR”) or secondary caretaker. Generally, unless there is a concern that the parent of alternate residence will harm the child, parenting time or visitation rights will not be withheld.

The less familiar but equally important concept is “legal” custody which refers to a parent’s right to make decisions concerning their child, such as medical treatment, selection of healthcare providers, education, engaging in what might be considered hazardous activities and other significant decisions. In most cases, parents will have joint legal custody of a child and share the decision-making responsibilities. In some instances, however, the judge may award sole custody where only one parent has legal and physical custody. This is a relatively rare occurrence that is ordered only when the other parent is absent or legally unfit. A parent may be unfit if he or she has engaged in child abuse or neglect or is struggling with an addiction to alcohol or drugs. Absent such circumstances, a joint legal custodial relationship among parents is the preferred arrangement since it is likely to foster the best interests of the child.

A recent Court decision restated that “the prime criterion for establishing a joint legal custodial relationship between divorced or separated parents centers on the ability of those parents to agree, communicate, and cooperate in matters relating to the health, safety, and welfare of the child notwithstanding animosity or acrimony they may harbor towards each other. The ability of parents to put aside their personal differences and work together for the best interests of their child is the true measure of a healthy parent-child relationship.”

Fiduciary Duties Owed by Business Owners to Their Company: A Primer on Common Causes of Shareholder Oppression Claims

Published on: May 22, 2017 | by David R. Pierce

Because of the fiduciary duties owed by business owners to each other, whether they are shareholders in a closely held corporation, members in a limited company, or partners in a general or limited partnership, a business owner generally is prohibited from competing with the company. This general prohibition can be modified by an agreement among the owners, but in the absence of such an agreement the prohibition stands.

Failure to do so is referred to as the diversion of corporate opportunities. An owner of a closely held business has a duty to bring to the company any business opportunity that the company would normally expect to seek to pursue. The opportunity must be presented to the company and cannot be pursued individually unless the company decides not to pursue that opportunity.

As with the prohibition on competition, the requirement to present all opportunities to the company can be altered by contract. Pursuant to N.J.S.A. 14A:3-1, a corporation can renounce its interest in, or expectancy of the opportunity to pursue, specific opportunities. One manner in which corporate opportunities can be relinquished is to insert the pertinent language in the Certificate of Incorporation. When starting a new business, if there is any thought that one or more owners might want the right to pursue competing opportunities, you want to include language in the Certificate of Incorporation, or a separate shareholder agreement, that specifies what competing businesses the shareholder may appropriate.

Cybersecurity: The legal response | NJBIZ

Published on: May 22, 2017 | by Eric B. Levine

Lindabury’s Cybersecurity and Data Privacy Practice Group Co-Chair Eric Levine spoke at the NJBIZ Cybersecurity conference on May 17th at the Raritan Valley Country Club in Bridgewater, explaining how companies can get hurt by doing the right thing when it comes to cybersecurity.

“To protect any small business, you need to have legal involved, if for no other reasons than to cloak what you are doing with privilege or confidentiality — by that, I mean communications with your attorney that nobody else can get to,” he said.

“Think about it,” he told the audience. ‘You hire (an expert) who comes in and does a vulnerability assessment and they find out you have a gaping hole in your security. That’s great. You fix it.

Recent Changes to a Parent’s Child Support Obligation

Published on: May 18, 2017 | by James McGlew, II

Parents who are either currently going through a divorce or were divorced many years ago often ask “at what point do I no longer have to pay child support for my children?” It surprises some parents to learn that there has been no specific age at which time parents are no longer obligated to pay child support.

Parents who are already divorced should review their settlement agreement which usually spells out the conditions which must be met for the child to be deemed “emancipated.” It is at the time of emancipation when parents no longer are financially responsible to support their children.

A recent change in New Jersey law provides more certainty. As of February 1, 2017, unless otherwise specified in a Court order or judgment, the obligation for a parent to pay child support stops without a Court Order on the date of a child’s marriage, death or their entry into military service.

Forget About the Firewall: Employees are First Line of Defense Against Cyberattacks

Published on: May 15, 2017 | by Eric B. Levine

Eric Levine, Lindabury’s Cybersecurity and Data Privacy Group‘s Co-Chair was recently interviewed by NJBIZ’s Brett Johnson regarding a business’s first line of defense against a cyberattack. Levine says the approach exploits features inherent to human nature. “It’s preying on people’s inquisitive side,” Levine said. “And you can’t buy a firewall for that.”

“Yes, there are hackers who are out there who are trying to break through firewalls through different approaches, including state-sponsors actors, and there are many technologies to protect against that,” Levine said. “But it’s the social engineering — (stuff like) phishing scams — that capitalizes on mistakes people make that are the easiest tools to utilize.”

To read the full article as published online click here.

N.J. Cyber-Experts: Another Attack Is Coming — Here’s The No. 1 Thing To Do (And Not To Do)

Published on: May 15, 2017 | by Robert W. Anderson

Lindabury’s Bob Anderson, shareholder and co-chair of the Cybersecurity and Data Privacy Group, was interviewed by NJBIZ‘s Tom Bergeron in response to the worldwide ransomware attack over the weekend. Bob said the attacks last weekend were not a surprise at all to the people in the industry.

“It was just a matter of time before something like this happened,” he said. “We’ve seen ransomware attacks pick up at an incredible level the past few years. It was just going to happen at some point that somebody was going to launch something that was going to travel from computer to computer and spread to every country in the world.”

Lindabury will be represented at the NJBIZ Cybersecurity panel discussion on May 18th at Raritan Valley Country Club in Bridgewater, where the Cybersecurity and Data Privacy Group’s co-chair Eric Levine is participating as a panelist.

New Jersey’s Spill Act and Concepts of Equity

Published on: May 9, 2017 | by Lindabury, McCormick, Estabrook & Cooper, P.C.

On March 3, 2017, the Appellate Division of the New Jersey Superior Court upheld a Chancery Court’s determination requiring parties to participate in an investigation of contamination despite the fact that there was no evidence linking any of the parties to the contamination. Matejek v. Watson, et al., Dkt No. A-4683-14T1. In doing so, the appellate court employed principles of equity to expand potential liability under the New Jersey Spill Compensation and Control Act, N.J.S.A. 58:23.11 et seq. (the “Spill Act”). The Matejek decision, which seems inapposite to other Spill Act jurisprudence, greatly expands the reach of the Spill Act and would require parties to expend resources to investigate contamination even when there is no evidence of any nexus to that contamination.

The decision has its genesis in oil contamination discovered in a tributary located in the vicinity of a residential condominium development. The New Jersey Department of Environmental Protection (“NJDEP” or the “Department”) responded to the threat by removing, at state expense, underground storage tanks from each of the adjoining five condominium units. Once the tanks had been removed, the Department determined that there was no further imminent threat to the tributary and terminated further work on the site. However, the Department never closed its administrative file and the site remained on the Department’s active list. Several years later, the owners of one of the condominium units sought to complete the investigation in order to remove what they deemed a cloud on title. They then brought an action against the other four condominium owners to compel them to equally participate in and complete the investigation (and, if necessary, the remediation).

The Chancery Court, after a bench trial, entered judgment requiring the parties to jointly retain a licensed site remediation professional to complete the investigation. The Court held that despite the fact that there was no evidence of the precise source of or responsibility for the contamination, the fact that the Department ordered the removal of all five tanks was enough to require that all of the impacted unit owners share in the steps necessary to further investigate the source of the contamination. More bewildering is the fact that the decision did not discuss or make any findings as to which of these five tanks had leaked or been involved in the discharge. Adjoining unit owners Carlos and Jean Gilmore appealed the Chancery Court’s determination arguing that the Spill Act didn’t require them to participate in a remediation absent evidence that they caused or contributed to the contamination.

GOOGLE Docs Incident Provides a Real-Life Example of the Dangers of Phishing

Published on: May 9, 2017 | by Eric B. Levine

May 3, 2017 was a bad day for Google as a major phishing attack spread like internet wildfire, targeting users of Google docs. However, as bad as it was for Google, it provided us with a real-life example of how the first line of defense to a cyber-attack is none other than you and me. People, not breached firewalls or lack of encryption, are often the cause of a major cyber incident, but with a little diligence, we can present a formidable front-line defense.

What occurred on May 3, 2017 has been described as a widespread phishing scheme through which people received an email, apparently originating from a trusted source, that asked the recipient to open a Google document that was embedded within the email. If the recipient of the email opened the Google document, they would have granted the sender access to the recipient’s email account and contacts. Once the Google document read the recipient’s contacts, it in turn sent more phishing attempts to the recipient’s contacts. The cycle repeated itself rapidly, and Google estimated that the attack spread so quickly that at the peak of the attack, Google’s customer base saw about 150 messages sent per minute. It was estimated that the attack may have affected at least one million people.

Phishing is a form of social engineering that involves sending emails that appear to come from a trusted source or someone the recipient knows in an effort to obtain the computer credentials of the recipient of the email, to hack in the recipient’s private accounts and obtain their personal information or to infect the recipient’s computer systems. It is a common method of cyber-attack today and one, as Google can attest, that can quickly cause widespread havoc.