Category Archives: Legal

Immediate Vault Immediate Access

Responding to Litigation Hold Notices

Posted on by

The purpose of a litigation hold is to preserve relevant information when an organization reasonably believes this information can lead to an investigation or litigation. The information to be preserved can be documents, equipment and/or electronic information or materials that may be relevant to a lawsuit or an investigation, depending on your industry. If relevant documents or information are lost, altered or destroyed, the company could suffer serious legal consequences.

The spoliation of evidence is “the intentional, reckless, or negligent withholding, hiding, altering, fabricating, or destroying of evidence relevant to a legal proceeding.” The maximum penalty for destroying or concealing evidence is either six months in a county jail or a fine up to $1,000, or both. For example, spoliation can occur when documents are shredded, emails erased, physical evidence is sold, destroyed or hidden and otherwise rendered unavailable for trial. It is the company’s duty to take all reasonable steps to preserve potentially relevant information.

The risk professional’s role is vital—he or she may be aware of an incident that might give rise to a claim or suit, well before a suit is filed, sometimes even a year or more. For example, if you receive an incident report that a third-party vendor fell on your property, you would call security to see if there is video of the incident, and if so, secure a copy of that video. You would interview any witnesses, preferably on the day of the event while memories are fresh, and document the incident in their words. If the victim alleges that something caused the fall, then you should take photos of location and determine whether the pavement was wet or dry, there was debris in the aisle, what the weather conditions were, and other considerations. Once you complete the investigation, all documentation should be stored and secured.

If there is a claim that is either in a lawsuit or the company believes could later become a lawsuit, the clock starts ticking on litigation hold notices. In the United States, the law requires that companies comply with their duty to preserve evidence. Evidence is broad and can include an automobile involved in an accident; emails; a chair involved in a slip and fall; videos, voicemail, photographs or text messages; among others. The notice can involve official company files, personal files or non-official files. All information that may be relevant to the matter must be preserved.

Preserving potential evidence that the company believes may reasonably lead to a lawsuit or investigation takes a coordinated effort that can involve legal, risk management, IT, HR, compliance, engineering, security and any other department.

If you are an employee who may have information pertinent to investigation or lawsuit, you would be considered the custodian of this information and would have a legal obligation to preserve such evidence. As custodian, the legal department or possibly a third-party administrator would instruct you to preserve the evidence. The general procedure is that you would receive a notice on a matter that could be involved in an investigation or a lawsuit. You will be required to review, comply, sign and certify a document that states you agree to preserve information that would be related to the event. There may be a requirement to return signed document within a certain amount of time from receipt, and violation may result in disciplinary action that can include termination.

The evidence required may be very specific (such as video recorded on this date), or general (like all related emails), and may include a date range. Once identified, do not destroy, alter, modify or delete documents subject to the hold notice. When the lawsuit or investigation is completed you will receive a termination and release of this obligation. The evidence may be saved as part of the company record retention program.

Risk management can play an important role in this process by storing the hold notice in the claim file, periodically reminding custodians of their obligations, involving and sending new notices for new custodians that might have evidentiary material, and notifying custodians of termination of hold notices.

‘Take-Home COVID-19’ Claims: Preparing for a Second Wave of Coronavirus Litigation

Posted on by

The Spanish Influenza epidemic came in three waves, with the first hitting in March 1918, the second in the fall and the third in the winter of 1919. The U.S. Centers for Disease Control and Prevention considers the second wave to have been the most deadly. In the United States, well over half of the epidemic’s death toll of 675,000 occurred during the second wave. It is no surprise then that public health experts were already warning of the possibility of a second wave of the coronavirus pandemic when the world was just beginning to acknowledge that the first wave was upon it in February.

Personal injury mass litigation also comes in waves. Consider asbestos: In the first wave, individuals who worked directly with asbestos filed workers compensation claims. Workers exposed to asbestos in products filed products liability suits during the second wave. A third wave included “take-home asbestos” claims in which workers’ children and spouses sued for illnesses caused by exposure to asbestos fibers taken home from work. A fourth wave is now underway with the alleged asbestos contamination of consumer talc products.

The first wave of personal injury coronavirus litigation emerged in early March when a married couple sued Princess Cruise Lines for gross negligence for placing “…profits over the safety of its passengers, crew, and the general public in continuing to operate business as usual.” Many similar individual and class action lawsuits have followed. According to an analysis by the Miami Herald, some 3,600 cruise line passengers have contracted COVID-19 and more than 100 have died. 

The situation in nursing homes is far worse. Nursing home residents account for an estimated 40% of U.S. coronavirus deaths thus far. Predictably, wrongful death suits filed by the family members of nursing home residents are surging, even as some states move to shield nursing home operators from liability. Personal injury lawsuits have also been filed against hospitals, meatpackers, restaurants, grocery stores and warehousing operations.

However, as the first wave of the coronavirus pandemic subsides, personal injury litigation may subside along with it. But what if the pandemic has a second wave? Although there is a great deal of uncertainty, public health experts now believe that there is no inherent seasonality to COVID-19 itself, but they remain deeply concerned that a combination of complacency and greater indoor activity could lead to a second wave of infections in the coming months.

What would a second wave of coronavirus personal injury litigation look like? One possibility that modelers at Praedicat are considering is a wave of “take-home COVID-19” litigation arising from occupational infection, coupled with high rates of intra-family transmission. Praedicat modelers estimate that 7-9% of COVID-19 deaths in the first wave have been family members of workers in essential industries who acquired coronavirus at work. With widespread testing and improved contact tracing, take-home transmission could be relatively easy to demonstrate during a second wave. The first take-home COVID-19 lawsuits were filed in August against an electrical supply company and a meatpacking facility, and the precursors to these complaints are present in earlier lawsuits filed against Amazon and McDonald’s.

Many public health officials believe that it is entirely within our power to keep a second wave of the virus from forming while we wait for a vaccine to be developed and deployed. A unified and steadfast public health campaign is critical if we are to avoid a second wave, individual companies working to limit transmission among their workers and customers is as well. First and foremost, this means closely adhering to federal, state, and local guidelines and industry best practices regarding disinfection, screening and testing, social distancing, and the use of masks and other personal protective equipment. Employers might also work to raise awareness of take-home exposure and the risk to vulnerable older family members or those with pre-existing conditions like diabetes that have been shown to elevate the risk of life-threatening complications associated with COVID-19.  Depending on the circumstances, maintaining social distance at home may be just as critical as maintaining social distance at work.

While a second wave of the pandemic may be unlikely, some level of infection, illness, and litigation is sure to be with us until there is a vaccine. The best protection against liability is making the safety of workers and customers paramount. But risk managers need to prepare for the worst and should also be reviewing the availability of coverage for employment related coronavirus claims, including take-home exposure. The employers liability exclusion under a general liability policy, for example, might exclude claims made by the family members of workers.

Reducing Risk Exposure Through Sanctions Screening

Posted on by

International sanctions have increased in recent years and discrepancies still exist between how financial institutions and non-banking financial institutions in different countries and regions handle them. This has led to ongoing international tensions where politicians use asset-freezing, confiscation and other sanctions as tools to forward personal agendas, producing an increased stream of sanctions. It also leads to headaches for the compliance industry as it attempts to assess their level of risk.

For example, there is a great sanction application difference between the United States and the European Union/United Kingdom as a result of the United States leaving the Joint Comprehensive Plan of Action (JPCOA) agreement and re-implementing sanctions against Iran progressively in 2018. In a post-Brexit world, it is likely that a divergence between European Union and United Kingdom sanctions will occur over time.

Increasing challenges add to complexity for compliance professionals conducting sanctions and transactions screenings in accordance with regulations and institutions’ policies. The rapid transition to an increasingly digital world amidst COVID-19 begs the question: Do financial institutions truly understand the identities moving within their digital networks?

The Wolfsberg Group recently published detailed guidance for financial institutions regarding sanctions screening. The guidance highlights the importance of account and transaction screenings, but does not propose fundamental changes to the processes that financial institutions should follow already. Compliance officers need to rely on robust sanctions screening systems, high data quality and up-to-date policies to drive a successful long-term sanctions screening program.

Compliance departments should continue to conduct basic functions such as documented controls and procedures. They should also require a clear understanding of sanctions risk and how essential it is to take a risk-based approach to customer onboarding. Further, the compliance team should consider improving the following:

  1. Sanctions List Management: List data can be incomplete and decay over time. Active list management is essential for compliance personnel to ensure complete, accurate and up-to-date data.
  2. Screening Technology: Screening engines vary in capability. Platforms should meet business needs on a basic level and be able to:
    • Manage requisite screening record volumes
    • Configure to reflect the differing risk profile lists
    • Efficiently remediate alerts through fully functioning workflow tools
    • Ingest a variety of external lists
    • Integrate APIs into enterprise systems
  3. Sanctions Data: Not all externally provided sanctions lists are created equal. Financial institutions should conduct thorough due diligence and compare data from different sources. Some issues to consider:
    • How the data is synthesized from original issuing bodies
    • The quality controls within the research process
    • The extent that the provider enriches the data to maximize secondary identifiers of sanctioned individuals
    • How complete the data set is, given the many official bodies globally and whether the system is configurable to select those relevant to the institution in question
    • Whether the data provided facilitates consolidation of entities appearing on multiple sanctions lists to lower duplicate alerts and minimize analysts’ efforts

Sanctions screening is a vital but complex process and a continuously trained compliance staff helps ensure that the financial institution is consistently screening against the most relevant and up-to-date sanctions lists. Sanctions authorities require increasingly strict compliance and this involves employing intelligent augmentation through a combination of human efforts and new technologies such as big data, data analytics, machine learning and artificial intelligence.

Organizations can best reduce risk exposure by using all the compliance tools in a responsible and efficient way. Only then can a financial institution be sure that it is navigating the increasingly complex and rigorously enforced regulatory landscape.

3 Tips for CCPA Enforcement During COVID-19

Posted on by

As we move into the second half of 2020 and the California Consumer Privacy Act (CCPA) is officially enforced, we are also in the midst of a global crisis that was not properly on the radar when the regulation was enacted in January. Organizations are now being tasked with CCPA compliance in an unexpected remote work environment, with more personal data available online than ever before. And some organizations have the added privacy challenge of contact tracing practices or applications being used internally to monitor employee health.

Even in the remote work environment, relevant companies must ensure that they are informing customers and staff about what data they are collecting, options for which personal details are being gathered, the right to say no and opt out of data collection, the right to request deletion of their information, and equal pricing despite their privacy selections.

Many businesses are still struggling to implement these guidelines and are attempting to avoid significant penalties, all while meeting uptime demands. Below are some tips from security and technology industry experts for the best ways to implement CCPA compliance:

Rely on Data Privacy Regulation Experts 

There is increasing uncertainty around many businesses’ futures, and therefore, it is critical to turn to data privacy regulation experts for advice, guidance and technological support. 

“With exponential amounts of enterprise data only increasing, ensuring data privacy involves layered, complex challenges for any business. From a cloud hosting perspective, meeting evolving compliance and privacy regulations, such as the CCPA law which is just beginning to be enforced, is one of those layers. One of the most important steps organizations can take to guarantee they are on the right path towards compliance is to rely on hosting providers that have teams experienced with privacy law regulations,” said Lex Boost, CEO of Leaseweb USA.  

While it may be tempting to rely on internal teams during the economic downturn, employee burnout in already resource-strapped IT and security teams could cost the companies more in talent loss and potential breaches/fines. Thus, companies should evaluate external providers.

Boost also said, “These providers can guide the process needed to guarantee data is managed within current and upcoming privacy regulations, allowing organizations to focus on maximizing data usage and the experience for their customers.”

Have the Right Cybersecurity Measures in Place 

Proper cybersecurity measures are often major components for achieving compliance with a variety of regulations, but especially the CCPA, which is focused on protecting sensitive data and users’ privacy rights. With major hacks making recent headlines at companies like Twitter, and ransomware attacks that threaten to exfiltrate and leak private data on the rise, companies should be on high alert.

“Nobody is safe from an attack leaking personal information, and it’s absolutely essential that correct cyber measures are in place to secure privileged accounts, in particular, as thoroughly as possible. With more information online and spread out than ever before, hackers not only have the ability to scam people, but also undoubtedly have access to private messages, security information, and other personal data,” said Torsten George, cybersecurity evangelist at Centrify.  

On top of increasing breach risks, many companies’ distributed workforces are making security preparedness even more complex. But there are solutions, according to George: “To protect organizations during this transitional remote working phase and the implementation of CCPA, it’s imperative to provide your IT administration teams, outsourced IT, and third-party vendors with secure, granular access to critical infrastructure resources regardless of location and without the hassles of a virtual private network (VPN). Privileged access management solutions can both maintain compliance and enable secure remote access to on-premises and cloud-based infrastructures, securing all administrative access with risk-aware, multi-factor authentication (MFA), and maintaining the level of compliance CCPA requires.”

Look Toward the Future 

The CCPA currently protects Californian’s privacy rights, but many legal and security experts think this could inspire a similar regulation at the federal level if it is successful.

“The CCPA is the first law of its kind in the United States, and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country. The passage of a cohesive U.S. federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support, and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation,” said Wendy Foote, senior contracts manager at WhiteHat Security.

Foote also advised, “With a new class of representatives sworn into Congress in 2019 and the CCPA effectively putting a deadline on the debate and officially being enforced in July, there may finally be a national resolution to the U.S. consumer data privacy problem. However, the likelihood of it passing in the very near future is slim. A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law.”

It will take several months of negotiation for lawmakers to agree upon how the federal law would be implemented. While companies wait for the passage of a national privacy law and for it to take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.

Consumer privacy will continue to evolve, particularly in the time of COVID-19. Because of this, newer laws and regulations, like the European Union’s GDPR and the CCPA, must be flexible and evolve over time too.