It’s early in the year. Famco’s employees are looking to get their taxes done. Anticipated refunds will ease the pain from holiday excess. The small manufacturer’s CFO sighs in relief that the rush to complete the corporate W-2s is done. Down the hall, Famco’s controller opens an email from his CEO. Nothing out of the ordinary in how it looks, but its message is a bit odd. The CEO says she’s working on a significant project for tax purposes and needs all employee 2016 W-2s pronto in .pdf form. She’s a hard driver. The controller fears wasting her time if he raises questions, so he dutifully rolls all the W-2’s into one attachment and responds.

No questions asked–just obedience–even though he knows the CEO never works hands-on at this level. But, if that’s what she wants…

The next week, one of Famco’s sales managers stops by the CFO’s door complaining that he couldn’t file his taxes electronically. The IRS claimed to already have his return on file. He expects a substantial refund and is frustrated. The next day, Famco’s logistics coordinator emails the CFO asking about problems with the IRS refusing to accept tax returns.

Curious now, the CFO visits the IRS website. He sees an IRS Notice about false tax returns being filed by criminal elements claiming taxpayer refunds. The ruse is discovered when the taxpayer’s efforts to file electronically are rejected. The Notice warns this is now a common internet scam, “phishing”, where the scammer duplicates a corporate email style and uses what looks like a CEO’s email address as the originating email to a CFO or controller seeking employee W-2s. But the key to the scam is that the email’s return domain is almost imperceptibly varied. Instead of “CEO@famcorp.com”, it might be CEO@famcoorp.com, “CEO@famcorp.rus” or some other slight, but significant, shift.

Famco’s CFO immediately calls his staff together. The controller mentions the CEO’s email and how he timely and duly responded, no questions asked. Copies of the relevant emails are produced. Indeed, the controller’s response with the W-2s was routed not to the CEO, but rather to the internet’s dark underbelly, putting all employee personal identifying information, “PII” (e.g., here: names, addresses, social security numbers and earnings), instantly in scammers’ hands. Sickened, the CFO takes this information to the CEO.

Famco has a serious, immediate problem, and the CEO is very concerned. Suddenly the entire cybersecurity of the company is in doubt. The company’s counsel must be involved. The Tech Support team verifies there was no breach of their firewalls or security in software or hardware. Costly and embarrassing employee notifications must be issued. But how? When?
Federal or state mandated public notification may be necessary. Risk scenarios have to be determined. Do law enforcement authorities need notification? Is that confidential? Board or even shareholder notification requirements may apply. Identity protection needs to be purchased for impacted people at the company’s expense. What about cyber-risk insurance coverage? Intercepted Famco employee refunds need recompense.

The list goes on. Even for a small company such an event can crush profits or worse, with remediation costs running deep into the thousands, tens of thousands of dollars or even more. Larger companies can expect remediation costs running into the millions of dollars as the number of those impacted skyrockets. Bad publicity, loss of goodwill and reputational damage just pile it on.

Some corporate leaders may scoff, “that will never happen to us!” In reality, the question is not “if”, but “when”. Thousands of upstanding companies, large and small, around the country were scammed like this in the past two years alone. Walter | Haverfield’s Cybersecurity Team received a number of client calls here as tax season unfolded last year. No doubt new scams are developing for 2017.

But this sort of phishing scam is avoidable if the company creates an atmosphere of 360-degree verification on trade secret, intellectual property, PII, and other confidential information. Had the controller simply verified the email request with the CFO or even the CEO, the entire disaster would have been avoided. A priority must be stressed within the company of verifying questionable or even routine-looking requests for such information up the chain of responsibility. Company policies need to be in place – with employees trained — requiring verification either in person, by phone, or by separate (not “reply”) email before response to such emails, regardless of the person purportedly seeking the information.

Although Famco is a fictitious name here, these incidents are as real as real can be. The time to “respond” to an incident is before the incident by putting the company’s response outline in place in advance of a breach. Only the scammer knows when that will happen. Experienced cybersecurity attorneys can assist in developing such policies and even more importantly can help create an Incident Response Plan or Cyber Incident Management Plan. If disaster strikes your company—whether or not you had adequate plans in place–make sure you have the right legal resources to help assist in getting through these problems efficiently, effectively and economically.

Craig Marvinney can be reached at 216-928-2889 or cmarvinney@walterhav.com.

Byandnbsp;Mark S. Fuscoandnbsp;andandnbsp;Sara Ravas Cooper

Effective October 16, 2013, two key provisions of the Federal Communications Commission’s (“FCC”) Telephone Consumer Protection Act (“TCPA”) are set to take effect.

First, one prior exception from liability under the TCPA for phone calls or text messages using an automatic telephone dialing system (“robocalls”) or a prerecorded message was for those calls or messages that were made with the recipient’s “prior express consent.” Under the new interpretation from the FCC of the prior consent exception, with limited exceptions, a business can invoke the prior express consent exception for autodialed or prerecorded calls to a cell phone or for prerecorded telemarketing calls to a residential line only if the called party has physically or electronically signed an agreement that clearly authorizes calls or texts to be made to their phone number by that particular sender. The burden is placed on the business to retain these consent records for at least four years.

Second, the other significant change to the TCPA rules is the elimination of the “established business relationship” (“EBR”) exception for prerecorded telemarketing calls to residences. Previously, businesses may have been able to avoid TCPA liability for prerecorded telemarketing calls that otherwise were prohibited by claiming that they had an EBR with the consumer by virtue of a previous purchase or other business interactions. The new regulations eliminate the EBR exception. Consequently, businesses are now required to obtain prior written consent for all prerecorded telemarketing to residential phone numbers – even those that are for previous customers. These consent records must also be kept for at least four years.

Notably, these changes areandnbsp;in addition toandnbsp;the modifications to the rule that went into effect on January 14, 2013. Since that time the rule has required that prerecorded telemarketing messages that could be answered by a live person must include an automated opt-out mechanism. This opt-out option must be announced at the outset of the call, made available throughout the duration of the call, automatically add the called party’s number to the caller’s do-not-call list and must immediately disconnect the call. For prerecorded telemarketing calls that are answered by an answering machine or voicemail, businesses must now ensure that the message contains a toll-free number that the consumer can call to be connected to an automated opt-out system.

In sum, the new changes in effect on October 16, 2013, will:

  • Require prior express written consentandnbsp;for telemarketing calls made to cell phones using an automatic telephone dialing system or a prerecorded message, but maintain the prior express consent requirement for non-telemarketing calls to cell phones;
  • Require prior express written consentandnbsp;for telemarketing calls made to residential landlines using a prerecorded message; and
  • Eliminate the EBR exception to the obligation to obtain consent for telemarketing calls made to residential landlines using a prerecorded message.

What Constitutes “Express Consent”?

The TCPA defines “prior express written consent” as a signed written agreement that contains a “clear and conspicuous” disclosure to the consumer that by signing the agreement, he or she authorizes the seller to call or text a designated phone number for telemarking purposes using an automatic telephone dialing system or an artificial or prerecorded voice. The agreement must also include a notice that the person signing is not required to sign the agreement “as a condition of purchasing any property, goods, or services.”

The required signature from a consumer may be obtained electronically by email, website form, text message, telephone keypress, or voice recording.

What Should Your Business Do?

The FCC, state Attorneys General, and private plaintiffs have the right to enforce consent requirements. Thus, compliance with these rules is very important. Prior to October 16, 2013, businesses should assess their calling and text messaging practices to first determine if they engage in telemarketing calls. The term “telemarketing” is defined as “the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.” Then, the business should determine the source of the numbers it calls and whether prior written consent exists for each number. Based on this assessment, businesses should adjust accordingly in order to comply with the impending change to the FCC’s rules as well as in an attempt to avoid potential liability to the extent possible.

In a Crain’s “Legal Guest Blog,” published on April 18, 2013 and titled, “If arbitration is the answer, you may have asked the wrong question“, Mark Fuscoandnbsp;provides business owners and corporate decision makers items to be aware of when considering arbitration.

In a Crain’s “Legal Guest Blog,” published on February 28, 2013 and titled,andnbsp;Help avoid a lawsuit with a pre-emptive strike“andnbsp;Mark Fuscoandnbsp;comments on how to gain the upper hand when confronting a lawsuit from out of state.

Jamie PriceJamie Price, an attorney who focuses her practice on civil, commercial and probate litigation, recently joined the Cleveland Bridge Builders class of 2019. The Mobile, Alabama native applied for the competitive 10-month program, which teaches participants how to create meaningful change around a civic issue impacting Northeast Ohio.

“I sought out Bridge Builders to gain a deeper understanding of the civic community in Cleveland and find a hands-on way to give back” said Price, who is an avid runner. “I’m proud to be a part of such a fantastic program.”

Bridge Builders includes 60 local participants in its latest class, all of whom were chosen because they demonstrated a commitment to the community, strong leadership and problem-solving skills.

Price has been highly involved in the Anti-Defamation League (ADL) for the past decade. She serves on its regional board and is a part of the ADL’s national civil rights committee. The Shaker Heights resident is also a new member of the National Council of Jewish Women and serves on the Ethics and Professionalism committee of the Cleveland Metropolitan Bar Association.

As part of the program, participants apply their skills to assist a local community organization in boosting its strategic efforts and overall effectiveness.

“I’m eager to find my place within the civic realm of Cleveland and pinpoint an organization in which I can become involved,” added Price, who was selected to the Ohio Super Lawyers 2018 Rising Stars list for business litigation. “And throughout the Bridge Builders program, I look forward to learning more about myself and others. That process will help me become a more effective leader and communicator to ultimately assist others in need.”