Cybersecurity: Understanding a Texas Business’s Exposure to Liability (Part I)

With a number of recent cyber security events making the headlines, businesses across Texas are wondering what type of liability they could be subject to if such an event were to strike their business as well as what type of liability they may be subject to for inappropriately accessing electronic data.  This is the first in a two-part series that will help answer those questions.

In general, there are three potential types of liability that a Texas business is exposed to under either of these scenarios: statutory liability; contractual liability; and tort liability.  This post will focus on statutory liability with a subsequent post addressing contractual and tort liability issues.

There are both federal and state statutes regulating access to and use of electronic information.

The Federal Cybersecurity Laws

At the federal level, business owners and managers should be familiar with the Stored Communications Act (“SCA”), the Electronic Communications and Privacy Act (“ECPA”), as well as the Computer Fraud and Abuse Act (“CFAA”).

Stored Communications Act.  The Stored Communications Act prohibits an individual from willfully or intentionally accessing, without authorization, a facility through which an electronic communication services is provided or exceeding its authority to access that facility and thereby obtaining, altering, or preventing authorized access to an electronic communication while it is in electronic storage in such system.  The SCA most often impacts employers when accessing communications stored on company owned electronic devices or third-party service providers if the company is not a party to that communication.  For example, reading an employees personal email stored on his or her company issued phone.  There is a developing body of case law interpreting the SCA that identifies the circumstances under which  an employer may access these (and other) types of communications on an electronic device or a service provider’s server when the company is not a party to the communication.

Electronic Communications and Privacy Act. The Electronic Communications and Privacy Act prohibits the interception of electronic communications as well as the use or disclosure of intercepted communications without authorization.  The  ECPA also impacts employers attempting to monitor or investigate the activities of their employees.  This ECPA differs from the SCA in that it prohibits the interception of an electronic communication while the SCA prohibits accessing a communication in storage.  Companies should consider the ECPA’s prohibitions any time it considers implementing a monitoring program that will intercept emails or other electronic communications.

Computer Fraud and Abuse Act.  The Computer Fraud and Abuse Act makes the unauthorized access of a private computer system a criminal offense and allows an individual (or business) affected by such activity to bring a private cause of action.  For employers, the CFAA most often comes into play when an employee or former employee is found to have accessed information on the company’s computer system without authorization.  The CFAA clearly applies to the activities of former employees or other outsiders, however, the interpretation and application of the CFAA to current employees has varied widely across federal circuits.  In Texas, the focus in determining whether the CFAA applies to an employee’s activity generally looks at whether the access violated the company’s terms of use policies and whether the employee knew of that policy.

Texas Cybersecurity Law

At the state level, the Texas Business & Commerce Code imposes a duty upon businesses to implement reasonable procedures, including taking any appropriate corrective action, to protect the unlawful use or disclosure of any sensitive personal information collected or maintained by a company in the regular course of business.  This applies to information collected or maintained about customers as well as employees.  The TBCC also mandates specific procedures for the destruction of records that contain sensitive personal information.

The TBCC imposes a number of notification requirements and procedures upon businesses that are subject to a breach of system security if the breach is reasonably believed to have resulted in the disclosure of sensitive personal information.  Texas recently expanded the breach notification requirements to include notification to any individual whose information was potentially exposed, regardless of that person’s state of residency.

 

Preparing for Due Diligence When Selling A Company And Why It Is Important

Anyone who has gone through the process of selling a business knows that it can be a time consuming and tedious process.   Anyone who has gone through the process of buying or selling multiple businesses knows that not all sellers put forth the same effort in preparing their businesses for sale.  The amount of effort a seller puts into preparing for the sale goes a long way in determining whether the process is painfully tedious or a mere inconvenience on the road to a prosperous closing.  More importantly, a seller’s lack of preparation could kill the deal or reduce the purchase price.

Why does preparation of the seller matter so much?  I’ll give you two reasons: trust and credibility.

If a seller has taken the time and put forth the effort to properly prepare the company for an acquisition it makes the process much easier because the seller organized and made available the information a prospective buyer will want to review during its due diligence.  This establishes credibility with the buyer.  It establishes confidence that the seller understand its business, the risks a buyer will want to review, and ultimately confidence that the seller has properly monitored and managed those risks prior to the sale.

Imagine a buyer who inquires about a company’s FCPA compliance.  The seller immediately responds with documents including its compliance policy, training, incident reports, investigation results, and performance audits.  The seller also identifies and makes the individual responsible for monitoring its compliance program available for an interview.  This communicates to the buyer that the issue it is concerned about was properly addressed and managed by the seller.  It demonstrates that the seller understands it business, the risks inherent in that business, and that the seller properly managed those risks.

Now imagine if the seller responded that it would look for any documentation it had and provide what it found.  Regardless of whether that seller eventually provides the exact same information as in the scenario above, it immediately creates questions and doubts in the buyer’s mind.  How could the seller not understand this would be an issue that any buyer would inquire about?  Does the seller not understand the importance of this issue?  Did the seller not properly manage the associated risks?  What other issues might this seller have ignored?  What other unknown risks might I be buying into from a seller who doesn’t understand the risks inherent in his business?

Assuming the buyer doesn’t just turn and walk away, this lack of preparation can have a serious impact to the seller. The prospective buyer will undoubtedly ask much more detailed and in depth questions.  The doubt could also lead the buyer to demand a discount on the purchase price because of its questions about the risk exposure.  All of this results from the fact that the seller did not take the time to properly prepare for the due diligence process.

This is an example on the topic of compliance but preparation is just as important for issues related to corporate governance, taxes, legal, and accounting questions.

So how does a prospective seller make sure it is prepared for a buyer’s due diligence?

  1. Identify a due diligence team which includes a lead manager as well as representatives from each core business unit subject to review. These representatives will be the individuals responsible for assembling and organizing all relevant information from their respective units.
  2. Create checklists of action items and materials that you would expect an acquiring company or individual to inquire about.  This is the time to take a critical look at your business and identify any potential risk exposure so that you may address it before it is discovered by a potential acquirer.
  3. Collect and organize all information that you intend to make available to prospective acquirers during the due diligence process so that it is organized, readily available, and easily identifiable.
  4. Prepare a data room or central repository and index all of the information that it contains.  This may be a physical room onsite or at an adviser’s office, or it may be a virtual repository. In any case, you should make sure it is secured and that all access is strictly monitored.
  5. Prepare any confidentiality agreements that you will require from prospective acquirers prior to allowing them access to any data.  These will undoubtedly require negotiation between the seller and prospective buyer but the seller should have a form ready with the key terms it will require.
  6. Prepare a list of qualifications for any prospective buyer.  It is important to verify that the potential acquirer is in fact qualified to do so before allowing it access to sensitive information about your company.
  7. Identify what information you will make available to a prospective buyer and at what stage of the process.  Identify particularly sensitive data that you may want to only make available at the later stages of the process.
  8. Prepare a communication plan identifying who the primary point of contact will be with prospective acquirers and within the company.  You should identify which individuals in the company will responsible for communicating about which topics so that any inquiries may be directed to the appropriate individual swiftly. You may also want to spend time preparing those individuals how to respond to anticipated questions and even develop guidelines or a reference sheet.

Texas Franchise Tax Annual Reports Due May 15th

Don’t forget to file your annual Texas Franchise Tax Annual Report this year.  The due date is coming up on May 15th.  Corporations, limited liability companies, professional corporations, partnerships, trusts, associations, and joint ventures are all subject to the tax and required to file an annual report.

You can find information about the Texas Franchise Tax by visiting the Comptroller’s website here.  You can find forms and e-file your report on that website as well.

Failing to file your annual report could result in significant penalties including forfeiture of the right to transact business, the entities charter, and personal liability for officers and directors.

Getting Down to Business – Houston with Capital One

Capital One has a great program for small businesses that I wanted to highlight.  If you are interested, then don’t procrastinate as the deadline to apply is coming up on April 1st and there are only 15 slots available. Capital One’s Getting Down to Business program debuted in Houston in 2009.  The program is aContinue Reading

Key Issues That Should Be Addressed in a Buy-Sell Agreement for Texas Businesses

Buy-Sell Agreements should be found in every private company with multiple owners.  They are invaluable in any number of situations as a tool to avoid deadlock, discord, receivership, or winding up and termination of a company.  Buy-sell agreements may be separate stand alone documents, they may be part of the entity’s governing documents, or theyContinue Reading

Is This The Beginning of an Era of Entrepreneurship and Business Ownership?

I’m seeing it in my own practice and I’m hearing it from other attorneys, not just business lawyers but also those in the areas of estate planning and litigation. Over the past year, more and more clients are looking for help starting their own business.  Folks are looking for assistance with setting up their businessContinue Reading

When should you hire an attorney to negotiate your agreement?

Business owners, partners, managers in closely held companies all share a very common trait – they like to do things themselves.  Why pay someone else if you can do it yourself?  The first question every business owner usually asks before spending money is whether the expenditure will provide convenience, cost savings, expertise, or will itContinue Reading

SBA Releases New Courses on Online Security for Small Businesses

The Press Release is below: Small businesses can help keep their business information safe and protect their online information with a new free course from the U.S. Small Business Administration. In support of President Obama proclaiming October as National Cybersecurity Awareness Month, SBA is launching this new course, designed for small businesses, to provide anContinue Reading

A Summary of the 2013 Texas Legislature’s Impact On Business Laws In Texas

The Texas legislature’s 2013 regular session produced a number of bills that amend or alter laws affecting businesses in Texas.  Below is a summary of key bills passed by this legislature that affect Texas businesses, some of which will be addressed in more detail in later posts.  There is also a list of other billsContinue Reading

Intuit’s Small Business Super Bowl Commercial Promotion

In case you missed it, Intuit is running a competition for small businesses in which the winner will receive a professionally produced commercial to run during Super Bowl XLVIII.  You can read about the competition here. I know its a long shot, but hey, who wouldn’t want free advertising to the tune of $4 millionContinue Reading